Skip to content

Enable FileVault2 encryption

Jump to bottom
Marco Massari Calderone edited this page Oct 4, 2020 · 1 revision

Enable this FileVault2 in your base profile:

    # file: <base_profile>/modules.yml
    
    configure_filevault: yes

If you want to use FileVault2 you have 2 options:

  1. Personal Recover Key
  2. Institutional Recovery Key

Personal Recovery Key

The recovery key will be automatically generated after FileVault2 is enabled and stored by default in the new user's Desktop in form of a cleartext file that the user will have to safely store somewhere out of the machine itself and communicate it to the system administrators.

Even when using an institutional recovery key a personal recovery key will be created by default so that the user that forgot its password can decrypt its computer drive without the need to have the company certificate master key password.

If you do NOT want a personal recovery key to be generated, set:

    # file: <base_profile>/filevault.yml
    
    filevault_norecoverykey: yes

Institutional Recovery Key

Enable this setting in your base profile:

    # file: <base_profile>/filevault.yml
    
    filevault_certificate: yes

Using an institutional recovery key is the recommended option for a company because:

  • Using a shared encryption certificate allows the system administrators to recover the content of the machine even if the employee has forgotten his password

  • The encryption certificate can be programmatically replaced periodically or in case of a security breach.

You can set up an institutional recovery key in two ways:

  1. Deploy a Keychain recovery key: see Apple documentation

  2. Deploy a DER certificate that will be added to Keychain a recovery key generated on-the-fly

You can generate one of the above in a few different ways, and if you already have one of those you can use them with Splinter.

DO NOT TO INCLUDE the master key with the keychain file when provisioning a new machine.

If you are using your pre-existing DER certificate make sure to update link it correctly:

    # file: <base_profile>/filevault.yml
    
    filevault_certificate_file: 'files/certificates/FileVaultMaster.der.cer'

Generate a new encryption certificate

Splinter has a built-in option to make the generation of both a Keychain file and a DER certificate to make the process very easy if you are not an expert in certificates.

    ./splinter create filevault-recovery-key

The above command will ask you to set a master password and will create these 3 files in (splinter project)/files/certificates :

  1. FileVaultMaster-keychain-password: the master key password you have been asked during the cert creation)
  2. FileVaultMaster.der.cer: the DER certificate that will be used for the Filevault2 encryption
  3. FileVaultMaster.keychain: contains both the DER certificate and the master key password

Leave the generated DER certificate in this directory and will be used for the encryption of the provisioned machine (the base profile is already set to use this file).

Store the keychain file and the master key safely and remove it from the project folder, so that you can use it to decrypt a computer where you do not have any user password to decrypt the filesystem.

To decrypt such computer you will have to follow a specific Apple procedure

2020 (c) MarcoMC - github.com/marcomc/splinter

Home

Use Cases

Provision a Mac for a new employee

Build a backup Mac

Migrate to a new Mac

Rebuild a Mac to a clean state

Restore your Mac favourite settings and software

Create an additional account for your kids or partner

HOW-TOs

Install Splinter

Enable FileValt2 encryption

Create a custom profiles repository

Clone this wiki locally