I was recently asked to help test a new utility called FileVault Setup for setting up and enforcing FileVault 2 encryption. It’s designed to be a user-friendly interface for Apple’s fdesetup tool on OS X 10.8.x which supports turning on FileVault 2 encryption and enabling a single user account.
One nice thing about this tool from my perspective is that it’s designed to be independent of any server-based resources. To the best of my knowledge, this is the first tool I’ve seen that allows FileVault encryption to be enforced on a machine entirely from the machine’s own resources. See below the jump for the details.
Building
You can build the latest version of the application using the Xcode project files available from the GitHub repository. There’s also a already-built application available for download from the GitHub repo.
Installation
This application can be installed anywhere on the Mac, though the GitHub project page recommends either /Applications or /Applications/Utilities. For the purposes of my testing, I put it into /Applications.
If you want to hide the application from your users, I’d recommend putting it into a location like /var/root.
Operation
The application was designed to be run by a Mac OS X loginhook. This allows it to be launched when a user logs in, but also runs the application with root privileges. Running this application with root privileges is important because fdesetup requires root privileges to run.
Since this is a process that’s more easily shown than explained, I’ve made a video showing the process from the user’s perspective.
Note: The video has been edited to artificially reduce the amount of time it took to encrypt. Run time of the pre-edited video was 9 minutes.
Management
The application has four command line switches that can be used to tell it how to run:
-FVSDoNotAskForSetup YES / NO – suppresses prompting the user to enable FileVault 2 encryption. The default is NO
-FVSForceSetup YES / NO – Sets the FileVault 2 encryption to use /Library/Keychains/FileVaultMaster.keychain as an institutional recovery key. The default is NO
-FVSUseKeychain YES / NO – Sets the FileVault 2 encryption to use /Library/Keychains/FileVaultMaster.keychain as an institutional recovery key. The default is YES
-FVSCreateRecoveryKey YES / NO – Sets the FileVault 2 encryption to generate and use an alphanumeric individual recovery key. The default is YES
FileVault Setup can also be managed by MCX or by the defaults command. FileVault Setup accepts four defaults:
FVSDoNotAskForSetup: suppresses prompting the user to enable FileVault 2 encryption, default is NO / FALSE
FVSForceSetup: Sets the FileVault 2 encryption to use /Library/Keychains/FileVaultMaster.keychain as an institutional recovery key, default is NO / FALSE
FVSUseKeychain: Sets the FileVault 2 encryption to use /Library/Keychains/FileVaultMaster.keychain as an institutional recovery key, default is YES / TRUE
FVSCreateRecoveryKey: Sets the FileVault 2 encryption to generate and use an alphanumeric individual recovery key, default is YES / TRUE
The settings are stored in the following domain: ca.sfu.its.filevaultsetup
Running FileVault Setup without any command line switches or other management will mean it will run with the following configuration:
/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSDoNotAskForSetup NO -FVSForceSetup NO -FVSUseKeychain YES -FVSCreateRecoveryKey YES
In this case, FileVault 2 encryption set up is not forced. For the recovery keys, FileVault Setup will have fdesetup both generate an alphanumeric individual recovery key and set /Library/Keychains/FileVaultMaster.keychain as an institutional recovery key.
Recovery Keys
As mentioned above, in its default configuration FileVault Setup will try to set up two recovery keys by using a properly configured /Library/Keychains/FileVaultMaster.keychain as the institutional recovery key and also generate an alphanumeric individual recovery key.
To make sure that the individual recovery key is recorded for later reference, FileVault Setup will generate a plist file containing the individual recovery key and store it in the following location:
/private/var/root/fdesetup_output.plist
The plist itself will look similar to this:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>EnabledDate</key> <string>2013-04-29 22:17:00 -0400</string> <key>HardwareUUID</key> <string>00000000-0000-1000-8000-000C29CEF923</string> <key>HasMasterKeychain</key> <true/> <key>LVGUUID</key> <string>9807169C-24E6-4DDC-975A-71D078D73390</string> <key>LVUUID</key> <string>2BF1F4CA-5E97-4A6B-820A-A87F1DEA5B1D</string> <key>PVUUID</key> <string>0B0DE25B-8D24-4E31-B1B0-0831455C3A65</string> <key>RecoveryKey</key> <string>QFDA-9W5V-K2W3-93MR-Y7T8-DPZ5</string> <key>SerialNumber</key> <string>VMWVk2F+NYrG/tkLIignnJaiw</string> </dict> </plist>
If you want to use only the institutional recovery key, you would need to ensure that there is a properly configured FileVaultMaster.keychain stored in /Library/Keychains, then use FVSUseKeychain YES and FVSCreateRecoveryKey NO:
Example command:
/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSUseKeychain YES -FVSCreateRecoveryKey NO
If you want to use only the individual recovery key, you would need to ensure that there is not a FileVaultMaster.keychain stored in /Library/Keychains, then use FVSUseKeychain NO and FVSCreateRecoveryKey YES.
Example command:
/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSUseKeychain NO -FVSCreateRecoveryKey YES
Testing FileVault Setup
My testing was focused on forcing FileVault 2 encryption and using the command-line switches to tell FileVault Setup what to do. As part of that, I set up the following loginhook:
#!/bin/sh
FVSETUP=/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup
DISKUTIL="/usr/sbin/diskutil"
LOGGER="/usr/bin/logger"
# check_encryption_state taken
# from the Cauliflower Vest wiki's
# loginhook script:
# http://code.google.com/p/cauliflowervest/wiki/LoginHook
check_encryption_state() {
${DISKUTIL} cs list | grep -q -e 'Conversion\ Status.*Pending'
if [[ ${?} -eq 0 ]]; then
${LOGGER} "Disk encryption pending, skipping."
exit 0
fi
${DISKUTIL} cs list | grep -q -e 'Conversion\ Status.*Complete'
if [[ ${?} -eq 0 ]]; then
${LOGGER} "Disk encryption complete, skipping."
exit 0
fi
${DISKUTIL} cs list | grep -q -e 'Conversion\ Status.*Converting'
if [[ ${?} -eq 0 ]]; then
${LOGGER} "Disk encrypting or decrypting, skipping."
exit 0
fi
}
# If the FileVault Setup binary is present,
# proceed with encryption. If not, exit the
# script.
if [[ ! -f "$FVSETUP" ]]; then
${LOGGER} "FileVault Setup not installed on Mac in specified location"
exit 0
fi
if [[ -f "$FVSETUP" ]]; then
${LOGGER} "FileVault Setup present on Mac"
# Check to see if the Mac is encrypted
# or already encrypting. The application
# also checks for this, but I added this
# to help speed up the loginhook script's
# end if needed
check_encryption_state
# Replace YOUR_LOCAL_ADMIN_ACCOUNT with
# an account that you want to be able
# to login to the Mac without triggering
# the encryption to run.
if [[ $1 == "root" || $1 == "YOUR_LOCAL_ADMIN_ACCOUNT" ]]; then
${LOGGER} "Exiting encryption setup for user account: $1"
exit 0
else
# If the Mac isn't encrypted, run FileVault Setup
"${FVSETUP}" -FVSForceSetup YES -FVSOptionsHere
${LOGGER} "Enabling encryption on this Mac."
fi
else
exit 0
fi
While I used this login hook for my testing, I also tried a much simpler loginscript:
#!/bin/sh /path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES
I was able to replicate my earlier encryption results, but the pause at the loginwindow (for the loginhook script to run) was a few seconds longer.
From my testing, here’s the commands that will worked along the ones that will generate errors. The errors will be coming from fdesetup or CoreStorage and are the result of FileVault Setup being asked to initialize an unsupported FileVault 2 configuration:
Successful FileVault 2 enablement
With no recovery keychain in /Library/Keychains, FileVault Setup forced FileVault 2 enablement and generated an individual recovery key as the Mac’s only recovery key with the following command:
/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES -FVSUseKeychain NO -FVSCreateRecoveryKey YES
With FileVaultMaster.keychain stored in /Library/Keychains, FileVault Setup forced FileVault 2 enablement and set the FileVaultMaster.keychain as the Mac’s only recovery key with the following command:
/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES -FVSUseKeychain YES -FVSCreateRecoveryKey NO
With FileVaultMaster.keychain stored in /Library/Keychains, FileVault Setup forced FileVault 2 enablement and set both the FileVaultMaster.keychain and an individual recovery key with the following command:
/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES
With FileVaultMaster.keychain stored in /Library/Keychains, FileVault Setup forced FileVault 2 enablement and set the FileVaultMaster.keychain as the Mac’s only recovery key with the following command:
/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES -FVSCreateRecoveryKey NO
Unsuccessful FileVault 2 enablement
With FileVaultMaster.keychain stored in /Library/Keychains, FileVault Setup gave a fdesetup error 18 with the following command:
/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES -FVSUseKeychain NO
With no recovery keychain on the Mac, FileVault Setup gave a fdesetup error 19 with the following command:
/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES -FVSUseKeychain YES -FVSCreateRecoveryKey NO
With no recovery keychain on the Mac, FileVault Setup gave a fdesetup error 19 with the following command:
/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES -FVSCreateRecoveryKey YES
With no recovery keychain on the Mac, FileVault Setup gave a fdesetup error 19 with the following command:
/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES
With no recovery keychain on the Mac, FileVault Setup gave an error 15 with the following command:
/path/to/FileVault\ Setup.app/Contents/MacOS/FileVault\ Setup -FVSForceSetup YES -FVSUseKeychain NO -FVSCreateRecoveryKey NO
This last error is because FileVault Setup was being asked to set up FileVault 2 encryption without a recovery key. This does not work; you must have a recovery key when encrypting a Mac with FileVault 2.
Running FileVault Setup on an already-encrypted Mac
One of the nicer features of this application is that it can detect if the Mac has already been encrypted with FileVault 2. If it’s launched on a Mac that’s encrypted, it displays a message that FileVault 2 has already been enabled. Once you click the OK button to acknowledge the message, FileVault Setup then quits.
At the login window, FileVault Setup will not appear when triggered by the loginhook on an already-encrypted Mac. Instead, the app will silently quit in the background.
Conclusion
If you’re looking for a way to enforce FileVault 2 on your Macs and don’t have access to server resources, FileVault Setup is a great addition to your set of tools. It will give you the ability to encourage encryption on your machines or force it, depending on your security needs.
It also gives you the ability to prepare a machine and deploy it to your users without encrypting it first, as the loginhook will ensure that encryption gets turned on at the first login.
