-
All replies
-
Helpful answers
-
Nov 18, 2011 4:42 AM in response to lfroniusby Linc Davis,A bootable volume must be encrypted using the FileVault panel of the Security & Privacy preference pane -- not with diskutil.
When you activate FileVault, you'll have the opportunity to select the users who are able to unlock the boot volume with their login password. Their password doesn't have to be the same as yours (and shouldn't be.)
-
Nov 18, 2011 5:15 AM in response to Linc Davisby lfronius,Hi Linc,
I can encrypt a bootable volume via diskutil. I have done it and it works as expected. The only problem is then, that I have to type in my passphrase for the volume every time I boot, until I use the FileVault Panel to add me as an activated user for this FileVault Volume. I just want to know, how to achieve this activating of a user for FileVault from Terminal.
-
Nov 18, 2011 5:18 AM in response to lfroniusby Linc Davis,I can encrypt a bootable volume via diskutil. I have done it and it works as expected.
No, it doesn't, as you point yourself.
I just want to know, how to achieve this activating of a user for FileVault from Terminal.
If there is a way, it's not documented.
-
Nov 18, 2011 6:07 AM in response to Linc Davisby lfronius,The expectation was that, for sure the user is not granted access automatically to an encrypted volume. What sense would it make? So the diskutil-command totally matched my expectations.
Okay, that was an answer I didn't want to hear - but that it's not documented is a beginning.
Do you know any tool for tracing, to know what is really going on beyond the Security & Privacy preference pane?
I don't really want to set up FileVault for 70 Macs manually...
-
Nov 18, 2011 7:58 AM in response to lfroniusby Linc Davis,This is not an endorsement and I don't use the product myself, but you might want to take a look at this:
http://www.jamfsw.com/libraries/pdf/press_release/Casper-Suite-8-3-Press-Release .pdf
-
Feb 29, 2012 8:13 AM in response to lfroniusby Marc Hauge,lfronius -- Would you be willing to share the 'diskutil cs' command you are using to encrypt the boot drive.
We have success doing this via AppleScript as the logged in user, but would like to prep the laptop ahead of deployment. With your method, it sounds like we would simply need to add the user as an activated user.
Thanks!
-
Jun 1, 2012 6:14 AM in response to lfroniusby Jens C.,Any solution found, as i have the same challenge?
Thanks!
-
Jun 25, 2012 10:16 AM in response to Jens C.by Marc Hauge,Yes, we have been successful using a compiled binary (csfde), borrowed from the CauliflowerVest project(http://code.google.com/p/cauliflowervest/) and the Apple Recovery Key process (http://support.apple.com/kb/HT5077).
We use a AppleScript setup script that we have manufactured for the purpose of deploying laptops to our students and faculty (4000 +).
We create a cached mobile account to allow intial login:
do shell script "/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobile account -n " & UserID with administrator privileges
Then enable FileVault 2:
do shell script "cp " & POSIX path of (the path to me as string) & "/Contents/Resources/FileVaultMaster_noprivate.keychain /Library/Keychains/FileVaultMaster.keychain" with administrator privileges
do shell script POSIX path of (the path to me as string) & "/Contents/Resources/csfde disk0s2 " & UserID & " " & UserPWD
do shell script "rm -f /Library/Keychains/FileVaultMaster.keychain" with administrator privileges