encrypted disk image with recovery key

Question

encrypted disk image with recovery key

I am trying to create an encrypted disk image that can also be recovered with the use of a key. It is basically trying to do what FileVault does where you have a password to get in, but there is a Master password that can recover the image if you forget/lose your password. I have pieced the basic concepts together, but it isn't working. First I create the certificates that I believe I need with a keychain using the certtool command.
certtool y c k=SecureKey.keychain
certtool c k=~/Library/Keychains/SecureKey.keychain o= SecureKey.cer

I went with the RSA 1024 bit and SHA-1 stuff (that is the technically term for it).

After that, I tried creating the image. I am in the same directory that the SecureKey.cer file is in, so that shouldn't be an issue. Also if it can't find the certificate, it tells you that. Here is the command I used.
hdiutil create -encryption -certificate SecureKey.cer -stdinpass -type SPARSE -fs "HFS+" -volname TestVolName -size 20g TestImage

and that returned
hdiutil: create failed - error 0x8001184e

Does anyone have any thoughts on what I did wrong? Thanks.

G5, Mac OS X (10.4.7)

Posted on Sep 6, 2006 6:22 PM

Reply

Answer 1

Sep 7, 2006 2:51 PM in response to Robert Morton2

Hi Robert... uhhh... Rob?

With a question like this I'm guessing there's a fair chance you're the same Rob Morton I'm thinking you might be...

Regardless, I've been dinking with this same stuff at work, and was able to get it working with the FileVaultMaster keychain/cert. I haven't tried it with a manually created cert though. I found that I had to use sudo to create the dmg when using the FileVaultMaster, but figured it was due to permissions on that keychain/cert. But maybe it's required anytime you include a secondary recoverty cert??? Have you tried using "sudo hdiutil create..."?

I'm not at work today, but when I get back tomorrow I'll take a look at the stuff I was doing and post back.

Steve

Reply

Answer 2

Sep 7, 2006 5:04 PM in response to Steve Herman1

What, the question was specific enough that you figured it out?

Yeah, I can use the FileVault certs, but as you said, you have to sudo then. That is no good for what I want as I want a regular user to be able to encrypt what they want while still offering the recovery options. Once you through a sudo in there, you lose the option to have a regular user. I tried creating my cert with sudo and using sudo on the hdiutil, but it still gave me the same error as if I hadn't had admin rights. I have not tried just stealing the FileVault certs and changing the permission levels on that. The fear there is that there is an expiration on the FileVault cert and I worry about what happens when it expires. Sadly, my cert knowledge is a bit generalized, so there is probably an easy solution to that as well.

Reply

Answer 3

Sep 7, 2006 6:58 PM in response to Robert Morton2

Hi Robert,

> Once you through a sudo in there, you lose the option

to have a regular user

That's not really true. Sudo is one of the most flexible commands around and not only can a regular user use it but they can use it without a password. Mind you I'm not suggesting that you make all users admins; you can specify both of these privileges for this command only. All you have to do is to put a line like the following in your /etc/sudoers file. (with sudo visudo of course)

ALL ALL = NOPASSWD: /usr/bin/hdiutil create -encryption -certificate*-stdinpass -type SPARSE -fs "HFS+" -volname -size

I've included wildcards so that the cert file, volume name, size and image are arbitrary but the others must be in the user's command to qualify. I realize that you'll want different options to use FileVault certs but I don't know how to do that so I used your original example as my example.

Of course it wouldn't be that easy for your lusers to get all of those options correct so the next thing you do is to wrap the command, with it's sudo preface, in a shell script that parses the cert file, volume name, size and image from the options the user passes to the script and puts those into the command with the right syntax. If you want to get really fancy, the script could prompt the user for any arguments that were omitted. Your lusers will think that you created this really cool command and never know that sudo was involved.
--
Gary
~~~~
If you give a man enough rope, he'll claim he's tied up
at the office.

Reply

Answer 4

Sep 7, 2006 7:07 PM in response to Gary Kerbaugh

Yeah, unfortunately I need it to be usable on machines that I do not completely control. So editing the sudoers file isn't an option either. Good thought, but not with what I want to do.

Thanks for the options.

Reply