Jamf Nation Community

bentoms,

That is exactly how I did it. I revised my post to reflect this. One thing I would like to point out, while your method of acquiring the UUID works great for creating the fstab file, you must get the "logical volume" UUID for creating the system keychain entry to work with Unlock

@axnessj, good to know & happy to have helped.

I guess it's "whole partition encryption?"

Anyways, is the keychain password being seen in Keychain Access?? No idea how to block that, except maybe block access to keychain access??

Very interesting discussion!
I guess the reason why you don't want the password to be visible to your admin users is that
they would be able to access the Users HD of all your machines,
given that the same FV-password is used on all of them.
Would it be possible to create unique FV-passwords for each machine programmatically and escrow them to your JSS using the API?
Just thinking out loud here...

@axnessj,

FileVault 2 encrypts on a per-partition basis, so you can have both encrypted and unencrypted partitions on the same physical hard drive.

@bentoms Yes the password is seen in keychain access. Even if we change the system.keychain.modify group using security authorizationdb to a group that only has our local admin account in it any admin can view the password (even if they can't unlock or modify the system keychain). I'd rather keep Keychain Access around because we have training out for users to "clean" their keychain and prevent lockouts. (If our logout script misses a internet password tied to their AD account to delete)

@Chris, Yes, and I was thinking almost the exact same thing, except using a EA to "store" the key on the JSS, but the API sounds like a good idea too.

Don't forget Cauliflower Vest: https://code.google.com/p/cauliflowervest/

Great stuff guys. Just wondering.. @axnessj what are you using to get the "logical volume" UUID of the /Users partition? Be interested to find out.

I think I will put in a feature request or search to see if there is already one for the JSS to be able to encrypt other partitions and manage it. I have spent a lot of effort around this as well. and it works great right up to the point where I re-image the computer. I am having issues transferring the keychain entry to the new OS. and getting the other partition to mount. Could always just decrypt said volume before re-imaging but that could add hours to what is supposed to be a fast solution. Has anybody else actually tried re-imaging after doing this and have it working? How are you transferring the keychain entry to the new OS?

@bentoms

Unfortunately our corporate computer security policies at this time restrict storage of IP onto the cloud. What you suggest sounds like a great solution, but I highly doubt I will ever get the OK to store encryption keys outside our organization. I do appreciate your suggestion though, and I hope that it helps someone else.

@perrycj

Here is what we used to get the "logical volume" UUID

#!/bin/sh
# Get the UUID of the Users HD logical volume
logvolUUID=`echo $(diskutil cs list) | sed -e 's/.*Logical Volume //g' -e 's/ --.*//g'`

As opposed to getting the UUID for creating the FSTAB entry: http://macmule.com/2012/07/31/how-to-use-fstab-within-a-casper-imaging-workflow/

#!/bin/sh
# Get UUID of Users HD volume
usersUUID=`/usr/sbin/diskutil info "Users HD" | grep "Volume UUID:" | awk '{print $3}'`

@nessts

Currently we were using the same password on our test machines to encrypt the Users HD volume. Since we haven't found a good way to "hide" this from Admins viewing it in the System keychain we are looking into salting something common to a machine to create a unique password that would be easy to "recreate". Since the script creates the system keychain encrypted volume password entry there is no need to transfer it.

@axnessj Thanks, appreciated.

Quick question...when you go to re-image (which I'm sure happens eventually), do you use a different configuration in Casper Imaging to do the re-image of the OS partition instead of your normal one...assuming the normal one has the process to make the /Users partition? So you wouldn't want to run that one again because the /Users partition is already there and made.

Does that make sense? ha.

I think you are talking to @nessts instead @perrycj, anyhow, i generate random passwords for every computer. I have a process where i can extract the password, put it in a particular location so during setup it knows the proper password to use, but it never Unlocks properly at boot time like it does when it is setup the first time. If i manually run my version of Unlock it mounts the drive. So just something odd i have yet to have time to debug so lately all encrypted Macs get one partition.

@nessts][/url thanks. I was directing it towards everyone but I guess specifically asking @axnessj][/url as well.

Just curious, with or without encryption, with using /Users HD partition as a workflow...when it comes to re-image but want to keep the data on /Users HD in tact, I'm assuming you all use a different configuration in Casper Imaging....one without the process of creating the /Users HD partition, which then just focuses on the Macintosh HD partition for the OS.

Sorry if I'm not being clear ha. Just making sure I understand how you guys are handling re-imaging of the OS but not the /Users HD partition.

@perrycj][/url

Your right about re-imaging, the whole purpose of this project is so that we can re-image our machines without transferring the User's data and keep up with Apple's ridiculous to support in an Enterprise yearly OS releases without impacting the user experience. Rather than attempt to anticipate the HDD needs of the users I think we are leaving the partitioning of the drives up to the discretion of the techs at their facilities, rather than using a configuration to predefine percents or sizes. So creating the partitions is manual at this time. I am thinking 100GB for Macintosh HD and the remaining for Users HD, but I know there are cases when this might need to be different.

also, because you point the image to "Macintosh HD" in Casper Imaging it doesn't affect the Users HD

@axnessj That's what I figured but wanted to clarify. So you guys Manually create the 2 partitions before imaging and then just image the Macintosh HD partition...instead of using Casper Imaging to partition the drives into your desired parts? Interesting. We're a large corporation with a lot of moving parts but I may try to make this general practice at our depots.

I was under the impression you guys were doing all partitioning through Casper Imaging, including making the /Users HD partition. Doing it beforehand, if possible, definitely makes it easier.

@perrycj, all our partitioning is via Casper Imaging.

The configuration looks for Macintosh HD & Users HD, if Users HD is not found.. Then it partitions, if it is found.. Then no repartitioning is done.

The config then erases the Macintosh HD & installs all onto that partition.