Disable/restrict "show password' feature on System keychain passwords

axnessj
New Contributor

Working on partitioning MBPs running 10.9 with filevault 2 encryption with a fstab script (thanks Ben Toms) pointing /Users to Users HD that is encrypted during imaging (thanks Deflounder) and using jridgwell's Unlock https://github.com/jridgewell/Unlock to mount the encrypted Users HD when the user logs in. So far got it working.

Here is the problem. All of our users are admins (hopefully we can take that away) but in the meantime I am looking for a way to not allow them to use the "show password" feature of the System Keychain. This allows them to see the password used to encrypt the Users HD. Any ideas on how to not allow this?

Also, I don't really understand why Apple refers to FV2 as "whole disk encryption", it seems more to me as "volume based encryption". Maybe I am not encrypting it correctly? Is it possible to encrypt the WHOLE disk?

16 REPLIES 16

bentoms
Release Candidate Programs Tester

I'm interested on what you find, as will try it in the future.

But for now, just wanted to make sure you're using UUID in FSTAB & just to point you to my blog incase it helps to automate: http://macmule.com/2012/07/31/how-to-use-fstab-within-a-casper-imaging-workflow/

axnessj
New Contributor

bentoms,

That is exactly how I did it. I revised my post to reflect this. One thing I would like to point out, while your method of acquiring the UUID works great for creating the fstab file, you must get the "logical volume" UUID for creating the system keychain entry to work with Unlock

bentoms
Release Candidate Programs Tester

@axnessj, good to know & happy to have helped.

I guess it's "whole partition encryption?"

Anyways, is the keychain password being seen in Keychain Access?? No idea how to block that, except maybe block access to keychain access??

Chris
Valued Contributor

Very interesting discussion!
I guess the reason why you don't want the password to be visible to your admin users is that
they would be able to access the Users HD of all your machines,
given that the same FV-password is used on all of them.
Would it be possible to create unique FV-passwords for each machine programmatically and escrow them to your JSS using the API?
Just thinking out loud here...

rtrouton
Release Candidate Programs Tester

@axnessj,

FileVault 2 encrypts on a per-partition basis, so you can have both encrypted and unencrypted partitions on the same physical hard drive.

axnessj
New Contributor

@bentoms Yes the password is seen in keychain access. Even if we change the system.keychain.modify group using security authorizationdb to a group that only has our local admin account in it any admin can view the password (even if they can't unlock or modify the system keychain). I'd rather keep Keychain Access around because we have training out for users to "clean" their keychain and prevent lockouts. (If our logout script misses a internet password tied to their AD account to delete)

@Chris, Yes, and I was thinking almost the exact same thing, except using a EA to "store" the key on the JSS, but the API sounds like a good idea too.

bentoms
Release Candidate Programs Tester

Don't forget Cauliflower Vest: https://code.google.com/p/cauliflowervest/

perrycj
Contributor III

Great stuff guys. Just wondering.. @axnessj what are you using to get the "logical volume" UUID of the /Users partition? Be interested to find out.

nessts
Valued Contributor II

I think I will put in a feature request or search to see if there is already one for the JSS to be able to encrypt other partitions and manage it. I have spent a lot of effort around this as well. and it works great right up to the point where I re-image the computer. I am having issues transferring the keychain entry to the new OS. and getting the other partition to mount. Could always just decrypt said volume before re-imaging but that could add hours to what is supposed to be a fast solution. Has anybody else actually tried re-imaging after doing this and have it working? How are you transferring the keychain entry to the new OS?

axnessj
New Contributor

@bentoms

Unfortunately our corporate computer security policies at this time restrict storage of IP onto the cloud. What you suggest sounds like a great solution, but I highly doubt I will ever get the OK to store encryption keys outside our organization. I do appreciate your suggestion though, and I hope that it helps someone else.

@perrycj

Here is what we used to get the "logical volume" UUID

#!/bin/sh
# Get the UUID of the Users HD logical volume
logvolUUID=`echo $(diskutil cs list) | sed -e 's/.*Logical Volume //g' -e 's/ --.*//g'`

As opposed to getting the UUID for creating the FSTAB entry: http://macmule.com/2012/07/31/how-to-use-fstab-within-a-casper-imaging-workflow/

#!/bin/sh
# Get UUID of Users HD volume
usersUUID=`/usr/sbin/diskutil info "Users HD" | grep "Volume UUID:" | awk '{print $3}'`

@nessts

Currently we were using the same password on our test machines to encrypt the Users HD volume. Since we haven't found a good way to "hide" this from Admins viewing it in the System keychain we are looking into salting something common to a machine to create a unique password that would be easy to "recreate". Since the script creates the system keychain encrypted volume password entry there is no need to transfer it.

perrycj
Contributor III

@axnessj Thanks, appreciated.

Quick question...when you go to re-image (which I'm sure happens eventually), do you use a different configuration in Casper Imaging to do the re-image of the OS partition instead of your normal one...assuming the normal one has the process to make the /Users partition? So you wouldn't want to run that one again because the /Users partition is already there and made.

Does that make sense? ha.

nessts
Valued Contributor II

I think you are talking to @nessts instead @perrycj, anyhow, i generate random passwords for every computer. I have a process where i can extract the password, put it in a particular location so during setup it knows the proper password to use, but it never Unlocks properly at boot time like it does when it is setup the first time. If i manually run my version of Unlock it mounts the drive. So just something odd i have yet to have time to debug so lately all encrypted Macs get one partition.

perrycj
Contributor III

@nessts][/url thanks. I was directing it towards everyone but I guess specifically asking @axnessj][/url as well.

Just curious, with or without encryption, with using /Users HD partition as a workflow...when it comes to re-image but want to keep the data on /Users HD in tact, I'm assuming you all use a different configuration in Casper Imaging....one without the process of creating the /Users HD partition, which then just focuses on the Macintosh HD partition for the OS.

Sorry if I'm not being clear ha. Just making sure I understand how you guys are handling re-imaging of the OS but not the /Users HD partition.

axnessj
New Contributor

@perrycj][/url

Your right about re-imaging, the whole purpose of this project is so that we can re-image our machines without transferring the User's data and keep up with Apple's ridiculous to support in an Enterprise yearly OS releases without impacting the user experience. Rather than attempt to anticipate the HDD needs of the users I think we are leaving the partitioning of the drives up to the discretion of the techs at their facilities, rather than using a configuration to predefine percents or sizes. So creating the partitions is manual at this time. I am thinking 100GB for Macintosh HD and the remaining for Users HD, but I know there are cases when this might need to be different.

also, because you point the image to "Macintosh HD" in Casper Imaging it doesn't affect the Users HD

perrycj
Contributor III

@axnessj That's what I figured but wanted to clarify. So you guys Manually create the 2 partitions before imaging and then just image the Macintosh HD partition...instead of using Casper Imaging to partition the drives into your desired parts? Interesting. We're a large corporation with a lot of moving parts but I may try to make this general practice at our depots.

I was under the impression you guys were doing all partitioning through Casper Imaging, including making the /Users HD partition. Doing it beforehand, if possible, definitely makes it easier.

bentoms
Release Candidate Programs Tester

@perrycj, all our partitioning is via Casper Imaging.

The configuration looks for Macintosh HD & Users HD, if Users HD is not found.. Then it partitions, if it is found.. Then no repartitioning is done.

The config then erases the Macintosh HD & installs all onto that partition.