Best Enterprise Drive encryption solution

Jpcorzo
Contributor

Hello everyone,

We are planning to start encrypting the drives on our Mac devices and wanted to reach out to all of you for advice on the best enterprise system out there. We are currently testing FileVault 2 as it is already built in but we think is not at the point we want to. Just to explain, and hopefully someone has a workaround, to decrypt or unlock a drive I need to always have the user's password. I thought that by having the recovery key any of the tech support associates would be able to proceed with a reimage process without the user's intervention to type the password (Individual and Institutional setups both require the users' credentials to unlock). Trying to mimic a Bitlocker setup on the Windows side in which by typing a recovery key you are able to access the data and therefore decrypt and modify the HD structure.

So being this the case, we would like to try a 3rd party product and wondering which one is the best out there.

Thank you

1 ACCEPTED SOLUTION

rtrouton
Release Candidate Programs Tester

You unlock or decrypt a FileVault 2-encrypted drive using the recovery key, but you'll need to use the command line:

http://derflounder.wordpress.com/2011/11/23/using-the-command-line-to-unlock-or-decrypt-your-filevau...

View solution in original post

12 REPLIES 12

mm2270
Legendary Contributor III

You can totally re-image a FileVault 2 encrypted Mac (if you're talking about nuke and pave style imaging) without needing the user's account In fact, it can be done without needing the Recovery Key at all. The trick is to first partition the drive before imaging.
We do this all the time, but to be fair, we use DeployStudio, which actually makes running a script prior to laying down a base image much easier. Casper Imaging still doesn't have an easy way to automate this, which is a bit frustrating.

Anyway, the relevant line we use is like this-

sudo diskutil partitionDisk disk0 1 GPT HFS+ "Macintosh HD" R

There are variations on the above that would also work, but basically, use diskutil to repartition the disk disk0 to 1 partition using GUID Partition Table and a format of HFS+ (could also use JHFS+ here for Journaled) and name the resulting flattened drive Macintosh HD. The "R" means to fill the entire drive with this partition.
Also, make sure NOT to unlock the drive before doing this. it seems to work more reliably when the drive isn't unlocked and mounted for some reason.

that said, its not like FileVault 2 is without issues. We use it here and our biggest annoyance is the boot time overhead it adds. While its not huge, its significant enough that some of our users complain about it. Its also partly a perception issue. People expect that when they "log in" they should soon get to their Desktop. They don't really understand that when they log in at the FV2 pre boot login screen, the OS hasn't even started up yet.

Another annoyance is that Apple still won't let us manage how the login screen appears. We've put in feature enhancements with them ages ago and they don't seem to care about this one. You're stuck with Usernames and icons with a password field. If you want or need both username and password fields, you won't get that with FileVault 2. I personally think this lessens the security of using FV2, since the username(s) that can unlock the Mac are in plain sight for anyone to see.

rtrouton
Release Candidate Programs Tester

You unlock or decrypt a FileVault 2-encrypted drive using the recovery key, but you'll need to use the command line:

http://derflounder.wordpress.com/2011/11/23/using-the-command-line-to-unlock-or-decrypt-your-filevau...

Jpcorzo
Contributor

@rtrouton That's a great article you have in there. Not sure why those two commands are not part of the JSS Documentation ! Thanks a lot. Now it's just a matter of properly training the techs on running these commands.

rtrouton
Release Candidate Programs Tester

@Jpcorzo][/url][/url][/url,

I have a number of posts available on FileVault 2. They're accessible via this link:

http://derflounder.wordpress.com/category/filevault-2/

One particular post that may interest you is this one about the FileVault 2 talk I gave at the last JNUC:

http://derflounder.wordpress.com/2013/11/13/understand-filevault-2-and-manage-disk-encryption-with-t...

hcodfrie
Contributor

rtrouton, do you use FV2 with AD users ?and what can you do when a users changed his/her AD password ?

JPDyson
Valued Contributor

We've had success with using FileVault and Institutional+Individual recovery keys; the techs can pull the individual keys from the JSS to unlock a Mac, and we have a "break glass" backup in the Institutional key.

Train your folks to always and only encrypt using your process! If they enable it manually, you've got a problem.

rtrouton
Release Candidate Programs Tester

@hcodfrie][/url,

When AD users change their passwords, you should see behavior like this (assuming your AD account’s password gets changed outside the Mac):

  1. You boot your encrypted Mac while connected to a network that can access your AD domain controller.

  2. The pre-boot login screen would accept your old password.

  3. Next, you get the regular login window and type your account’s new password there. That will allow the login process to complete and also update the FileVault 2 pre-boot login to use the new password.

  4. After that, you should get the option to allow you to update your login keychain’s password (just like a regular login where the password is changed.) Once done, your keychain should be using your new password as well.

I have a post with videos that show the described behavior available here:

http://derflounder.wordpress.com/2012/05/24/10-7-4-login-window-changes-for-filevault-2-enabled-mobi...

hcodfrie
Contributor

many thanks @rtrouton i will check it out

hcodfrie
Contributor

many thanks @rtrouton i will check it out

Jpcorzo
Contributor

Hello @rtrouton , i was wondering if i could ask you one more question in regards to FileVault 2 and unlocking a drive with the institutional method. So i downloaded p12 file from JSS and converted it into a keychain. saved it and placed in a secure fileshare.. I'm on a device that i'm trying to unlock and decrypt and i'm able to use

security unlock-keychain /path/to/FileVaulMaster.keychain , i'm able to use the password i set

whenever i run

diskutil cs unlockVolume UUID -recoveryKeychain /file/to/FVM.keychain i keep getting the following error:

Error: -69749: Unable to unlock the Core Storage volume

Let me know if you have an advice for this issue.
Thank you

rtrouton
Release Candidate Programs Tester

@Jpcorzo,

When you're trying to use the keychain, are you booted from the recovery partition?

For reasons that they haven't documented, Apple only allows the process of unlocking / decrypting with the institutional recovery key to work if you're booted from the recovery partition or from Internet Recovery.

Jpcorzo
Contributor

ahh, i was actually booting from the netboot. I was able to unlock and decrypt the drive with the individual key from the netboot but looks like the institutional would only work from Recovery HD.