Enabling FileVault 2 Institutional key on a drive previously encrypted.

ryoshioka
New Contributor III

I have users that have enabled FileVault 2 on their computers already. We are moving forward with mandatory FileVault 2 on all devices with an institutional key.

Is there a way to add an institutional key without decrypting and recrypting the computers with FileVault 2 already enabled? I found this kbase article, but it doesn't apply since the applied user is not the management account.

Thanks in advanced!

1 ACCEPTED SOLUTION

flyboy
Contributor

@ryoshioka, you'd have to know the FIlevault password of the account that's already enabled. You could then use the inputplist functionality of fdesetup to add the management account to FileVault. That's what we do in this situation.

For Example, I have a policy that runs the below script to add our management account to FV. You can extend this script with a little user interaction to prompt them for their current filevault credentials.

#!/bin/bash
set -o nounset                              # Treat unset variables as an error

if [[ $EUID -ne 0 ]]; then
    echo "This script must be run as root"
    exit 1
fi

PLIST_TEMP=`mktemp PL.XXXXXXX`

cat << EOF > $PLIST_TEMP
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>filevault_username</string>
<key>Password</key>
<string>filevault_password</string>
<key>AdditionalUsers</key>
<array>
    <dict>
        <key>Username</key>
        <string>management_account</string>
        <key>Password</key>
        <string>management_password</string>
    </dict>
</array>
</dict>
</plist>
EOF

/usr/bin/fdesetup add -inputplist < $PLIST_TEMP

srm -m $PLIST_TEMP

Just make sure to update the username and password keys for your environment.

If you need to later remove the management account you can do it with this script:

#!/bin/bash
set -o nounset                              # Treat unset variables as an error

if [[ $EUID -ne 0 ]]; then
    echo "This script must be run as root"
    exit 1
fi

PLIST_TEMP=`mktemp PL.XXXXXXX`

cat << EOF > $PLIST_TEMP
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>filevault_username</string>
<key>Password</key>
<string>filevault_password</string>
<key>AdditionalUsers</key>
</dict>
</plist>
EOF

/usr/bin/fdesetup remove -user management_account < $PLIST_TEMP
srm -m $PLIST_TEMP

View solution in original post

6 REPLIES 6

chiguchi
New Contributor

The kbase is correct and it works. The policy will run as the management account.
The Institutional key will replace the Individual key the user received when they encrypted the drive. The user will need IT assistance if they forget their password or if the user account is somehow corrupted where they cannot login at the FV2 login screen after shutdown or restart.

ryoshioka
New Contributor III

@chiguchi, but one of the requirements that needs to be met to follow the kbase article is either "The management account configured as the enabled FileVault 2 user" or "An existing, valid individual recovery key that matches the key stored in the JSS" and currently none of those conditions are met.

Is there a way for me to make the management account an enabled FileVault 2 user? Then I could follow the kbase article.

flyboy
Contributor

@ryoshioka, you'd have to know the FIlevault password of the account that's already enabled. You could then use the inputplist functionality of fdesetup to add the management account to FileVault. That's what we do in this situation.

For Example, I have a policy that runs the below script to add our management account to FV. You can extend this script with a little user interaction to prompt them for their current filevault credentials.

#!/bin/bash
set -o nounset                              # Treat unset variables as an error

if [[ $EUID -ne 0 ]]; then
    echo "This script must be run as root"
    exit 1
fi

PLIST_TEMP=`mktemp PL.XXXXXXX`

cat << EOF > $PLIST_TEMP
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>filevault_username</string>
<key>Password</key>
<string>filevault_password</string>
<key>AdditionalUsers</key>
<array>
    <dict>
        <key>Username</key>
        <string>management_account</string>
        <key>Password</key>
        <string>management_password</string>
    </dict>
</array>
</dict>
</plist>
EOF

/usr/bin/fdesetup add -inputplist < $PLIST_TEMP

srm -m $PLIST_TEMP

Just make sure to update the username and password keys for your environment.

If you need to later remove the management account you can do it with this script:

#!/bin/bash
set -o nounset                              # Treat unset variables as an error

if [[ $EUID -ne 0 ]]; then
    echo "This script must be run as root"
    exit 1
fi

PLIST_TEMP=`mktemp PL.XXXXXXX`

cat << EOF > $PLIST_TEMP
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>filevault_username</string>
<key>Password</key>
<string>filevault_password</string>
<key>AdditionalUsers</key>
</dict>
</plist>
EOF

/usr/bin/fdesetup remove -user management_account < $PLIST_TEMP
srm -m $PLIST_TEMP

ryoshioka
New Contributor III

@Berrier, gotcha. I'll have to test these out on a test device before rolling this out to our users.

ryoshioka
New Contributor III

Finally got a chance to test your script, worked like a charm! Thank you very much.

flyboy
Contributor

@ryoshioka, excellent! You're welcome!