Help

Question about FileVault2 and user accounts

Go to solution
terjr938
New Contributor

Posted on ‎02-04-2015 11:42 AM

Hi Everyone,
We are looking for a way to encrypt the Macs using FV2 without exposing the login credentials to the outside world. The only thing we have found so far is this command:
sudo diskutil cs convert disk0s2 -passphrase passphrase
The problem comes in with how to manage that once it is in place. We like the functionality of having a "Disk Password" on boot vs showing someone a login ID, but we don't yet have a great way to manage it or even change it without decrypting and re-encrypting.

We use JSS 9.62 running a Mavericks environment. If anyone has any insight, that would be great!!

Thanks,
Tom

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
rtrouton
Release Candidate Programs Tester

Posted on ‎02-04-2015 12:56 PM

Have you looked into the following command?

diskutil cs changeVolumePassphrase

The diskutil manpage has information about how to use it:

https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/diskutil.8.html

View solution in original post

0 Kudos
7 REPLIES 7

Go to solution
rtrouton
Release Candidate Programs Tester

Posted on ‎02-04-2015 12:56 PM

Have you looked into the following command?

diskutil cs changeVolumePassphrase

The diskutil manpage has information about how to use it:

https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/diskutil.8.html

0 Kudos

Go to solution
terjr938
New Contributor

Posted on ‎02-04-2015 01:00 PM

No, I hadn't. I truly appreciate your feedback!! I'm going to test it out and I'll let you know!!

0 Kudos

Go to solution
terjr938
New Contributor

Posted on ‎02-05-2015 05:41 AM

That worked perfectly! After using that command and putting the UUID of the LV that is your Macintosh HD, it walked you through changing it and even hid the characters for the pass phrases

0 Kudos

Go to solution
dbrodjieski
New Contributor III

Posted on ‎02-05-2015 09:00 AM

Using this method, are you able to manage a recovery key for the disk, either personal, or institutional?

0 Kudos

Go to solution
rtrouton
Release Candidate Programs Tester

Posted on ‎02-05-2015 09:28 AM

No. To manage recovery keys for a FileVault 2-encrypted Mac, you will need to use fdesetup. Beginning in 10.9.x, fdesetup has two functions to manage recovery keys:

  • fdesetup changerecovery
  • fdesetup removerecovery

I have a post available on using fdesetup to manage FileVault 2 on Yosemite, including how to use fdesetup changerecovery and fdesetup removerecovery, available from here:

https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/

0 Kudos

Go to solution
dbrodjieski
New Contributor III

Posted on ‎02-05-2015 09:35 AM

Thanks Rich, I kind of figured that. For our environment, it would be nice to not have to rely on having a local user account configured for filevault access. Having a disk passphrase managed using 'diskutil cs', along with the recovery key available in case the passphrase is lost would be useful for us.

0 Kudos

Go to solution
terjr938
New Contributor

Posted on ‎02-05-2015 10:36 AM

What we've found here does appear to allow something like a recovery key, however, it is not utilizing Casper to do it, but if I figure out a way, I'll let everyone know how to get that in here. The link we have been getting our information from is here
https://administrivia.zendesk.com/hc/en-us/articles/200159585-FileVault-2-for-Enterprise-Enable-Disk-Password-rather-than-Enable-Users-and-Mass-Deployable-Master-Recovery-Keys
Thanks again Rich for that follow up!

0 Kudos