lfronius

Q: Automated Filevault encryption

Hi,

I want to deploy automated Filevault encryption using an installer in the same way that Mac OS enables it, but with my own recovery key.

So, what I need is a script or something to enable Filevault the same way as Lion does.

 

I know that I can do "diskutil cs convert /dev/disk0s2 -passphrase xyz" in the terminal - I will be asked this passphrase every time I boot my mac and can afterwards type in my personal password. In the security panel I can set-up other users for FileVault usage.

 

My question here is: What command is it, that I can use to give users access to my FileVault encrypted Volume without knowledge of the "real" passphrase?

MacBook Pro, Mac OS X (10.7.2)

Posted on Nov 18, 2011 4:14 AM

Close

Q: Automated Filevault encryption

  • All replies
  • Helpful answers

  • by Linc Davis,

    Linc Davis Linc Davis Nov 18, 2011 4:42 AM in response to lfronius
    Level 10 (207,995 points)
    Applications
    Nov 18, 2011 4:42 AM in response to lfronius

    A bootable volume must be encrypted using the FileVault panel of the Security & Privacy preference pane -- not with diskutil.

     

    When you activate FileVault, you'll have the opportunity to select the users who are able to unlock the boot volume with their login password. Their password doesn't have to be the same as yours (and shouldn't be.)

  • by lfronius,

    lfronius lfronius Nov 18, 2011 5:15 AM in response to Linc Davis
    Level 1 (0 points)
    Nov 18, 2011 5:15 AM in response to Linc Davis

    Hi Linc,

     

    I can encrypt a bootable volume via diskutil. I have done it and it works as expected. The only problem is then, that I have to type in my passphrase for the volume every time I boot, until I use the FileVault Panel to add me as an activated user for this FileVault Volume. I just want to know, how to achieve this activating of a user for FileVault from Terminal.

  • by Linc Davis,

    Linc Davis Linc Davis Nov 18, 2011 5:18 AM in response to lfronius
    Level 10 (207,995 points)
    Applications
    Nov 18, 2011 5:18 AM in response to lfronius

    I can encrypt a bootable volume via diskutil. I have done it and it works as expected.

     

    No, it doesn't, as you point yourself.

     

    I just want to know, how to achieve this activating of a user for FileVault from Terminal.

     

    If there is a way, it's not documented.

  • by lfronius,

    lfronius lfronius Nov 18, 2011 6:07 AM in response to Linc Davis
    Level 1 (0 points)
    Nov 18, 2011 6:07 AM in response to Linc Davis

    The expectation was that, for sure the user is not granted access automatically to an encrypted volume. What sense would it make? So the diskutil-command totally matched my expectations.

     

    Okay, that was an answer I didn't want to hear - but that it's not documented is a beginning.

    Do you know any tool for tracing, to know what is really going on beyond the Security & Privacy preference pane?

     

    I don't really want to set up FileVault for 70 Macs manually...

  • by Linc Davis,

    Linc Davis Linc Davis Nov 18, 2011 7:58 AM in response to lfronius
    Level 10 (207,995 points)
    Applications
    Nov 18, 2011 7:58 AM in response to lfronius

    This is not an endorsement and I don't use the product myself, but you might want to take a look at this:

     

    http://www.jamfsw.com/libraries/pdf/press_release/Casper-Suite-8-3-Press-Release .pdf

  • by Marc Hauge,

    Marc Hauge Marc Hauge Feb 29, 2012 8:13 AM in response to lfronius
    Level 1 (19 points)
    Apple TV
    Feb 29, 2012 8:13 AM in response to lfronius

    lfronius -- Would you be willing to share the 'diskutil cs' command you are using to encrypt the boot drive.

     

    We have success doing this via AppleScript as the logged in user, but would like to prep the laptop ahead of deployment.  With your method, it sounds like we would simply need to add the user as an activated user.

     

    Thanks!

  • by Jens C.,

    Jens C. Jens C. Jun 1, 2012 6:14 AM in response to lfronius
    Level 1 (0 points)
    Jun 1, 2012 6:14 AM in response to lfronius

    Any solution found, as i have the same challenge?

     

    Thanks!

  • by Marc Hauge,

    Marc Hauge Marc Hauge Jun 25, 2012 10:16 AM in response to Jens C.
    Level 1 (19 points)
    Apple TV
    Jun 25, 2012 10:16 AM in response to Jens C.

    Yes,  we have been successful using a compiled binary (csfde), borrowed from the CauliflowerVest project(http://code.google.com/p/cauliflowervest/) and the Apple Recovery Key process (http://support.apple.com/kb/HT5077).

     

    We use a AppleScript setup script that we have manufactured for the purpose of deploying laptops to our students and faculty (4000 +).

     

    We create a cached mobile account to allow intial login:

     

    do shell script "/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobile account -n " & UserID with administrator privileges

     

    Then enable FileVault 2:

     

    do shell script "cp " & POSIX path of (the path to me as string) & "/Contents/Resources/FileVaultMaster_noprivate.keychain /Library/Keychains/FileVaultMaster.keychain" with administrator privileges

    do shell script POSIX path of (the path to me as string) & "/Contents/Resources/csfde disk0s2 " & UserID & " " & UserPWD

    do shell script "rm -f /Library/Keychains/FileVaultMaster.keychain" with administrator privileges