Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: lfronius
lfronius Author
User level: Level 1
8 points

Automated Filevault encryption

Hi,

I want to deploy automated Filevault encryption using an installer in the same way that Mac OS enables it, but with my own recovery key.

So, what I need is a script or something to enable Filevault the same way as Lion does.


I know that I can do "diskutil cs convert /dev/disk0s2 -passphrase xyz" in the terminal - I will be asked this passphrase every time I boot my mac and can afterwards type in my personal password. In the security panel I can set-up other users for FileVault usage.


My question here is: What command is it, that I can use to give users access to my FileVault encrypted Volume without knowledge of the "real" passphrase?

MacBook Pro, Mac OS X (10.7.2)

Posted on Nov 18, 2011 4:14 AM

Reply
8 replies
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,541 points

Nov 18, 2011 4:42 AM in response to lfronius

A bootable volume must be encrypted using the FileVault panel of the Security & Privacy preference pane -- not with diskutil.


When you activate FileVault, you'll have the opportunity to select the users who are able to unlock the boot volume with their login password. Their password doesn't have to be the same as yours (and shouldn't be.)

Reply
User profile for user: lfronius
lfronius Author
User level: Level 1
8 points

Nov 18, 2011 5:15 AM in response to Linc Davis

Hi Linc,


I can encrypt a bootable volume via diskutil. I have done it and it works as expected. The only problem is then, that I have to type in my passphrase for the volume every time I boot, until I use the FileVault Panel to add me as an activated user for this FileVault Volume. I just want to know, how to achieve this activating of a user for FileVault from Terminal.

Reply
User profile for user: lfronius
lfronius Author
User level: Level 1
8 points

Nov 18, 2011 6:07 AM in response to Linc Davis

The expectation was that, for sure the user is not granted access automatically to an encrypted volume. What sense would it make? So the diskutil-command totally matched my expectations.


Okay, that was an answer I didn't want to hear - but that it's not documented is a beginning.

Do you know any tool for tracing, to know what is really going on beyond the Security & Privacy preference pane?


I don't really want to set up FileVault for 70 Macs manually...

Reply
User profile for user: Marc Hauge
Marc Hauge
User level: Level 1
19 points

Jun 25, 2012 10:16 AM in response to Jens C.

Yes, we have been successful using a compiled binary (csfde), borrowed from the CauliflowerVest project(http://code.google.com/p/cauliflowervest/) and the Apple Recovery Key process (http://support.apple.com/kb/HT5077).


We use a AppleScript setup script that we have manufactured for the purpose of deploying laptops to our students and faculty (4000 +).


We create a cached mobile account to allow intial login:


do shell script "/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobile account -n " & UserID with administrator privileges


Then enable FileVault 2:


do shell script "cp " & POSIX path of (the path to me as string) & "/Contents/Resources/FileVaultMaster_noprivate.keychain /Library/Keychains/FileVaultMaster.keychain" with administrator privileges

do shell script POSIX path of (the path to me as string) & "/Contents/Resources/csfde disk0s2 " & UserID & " " & UserPWD

do shell script "rm -f /Library/Keychains/FileVaultMaster.keychain" with administrator privileges

Reply

Automated Filevault encryption

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up