FileVault 2 + casper + AD users

Valued Contributor II

So it's coming down from our security team that we need to encrypt our Mac Laptops with some kind of encryption. I've been pouring over the forums, apple's white paper, casper's white paper, and Rich Trouton's video of FV2. I saw that in 10.8.2 there's a bug with AD and FV2, but it wasn't clear if it was fixed in 10.8.3. I have a couple other questions though...

What's the difference between the institutionalized and the individual keys and what instance which would be used? I believe the institutionalized keys are ones that IT sets as the password and the individual keys are set per user?

I see the fdesetup is a 10.8.x thing, so casper wouldn't be able to automate the 10.7.x machines?

What's the easiest way to automate the setup of FV2 on a new machine (10.8.x)? Would that be add the 2 local admin accounts and then once the AD user logs in they are set too?

How does recovery work? Say a machine gets dropped or gets somethign spilled on it and they need a new machine. How can we recover the data off the drive? On a PC we pull the drive out and slave it off another machine, put in the recovery key, and everything is unlocked. How does that work?

Is there a way to prevent a user from removing FV2?


Valued Contributor III


  1. The difference between individual and institutional keys is how they're generated.

Institutional - The institutional keychain is where you're building a FileVaultMaster.keychain on one machine and distributing it to other machines. I have a post on how to create one from the command line:

This recovery key is designed to be created once, then distributed to many machines.

During the video of my session from JNUC 2012, I've got a section where I talk about creating a FileVaultMaster.keychain file from the command line, exporting the recovery key parts so that Casper can import it either as a .p12 file or a .cer file, then uploading it to the Casper server.

I've also got the process described in the keynote slides from my session:

Individual - In the absence of a properly configured FileVaultMaster.keychain on a Mac, FileVault 2 will generate an alphanumeric recovery key for the machine. This recovery key is unique to each machine. It is not per-user, it is per machine.

  1. Casper's FileVault 2 management depends entirely on fdesetup. For 10.7 Macs, they'll need to be encrypted another way.

For that, I recommend either upgrading those Macs to 10.8.x, or using a tool like Cauliflower Vest's csfde command line tool to encrypt them:

  1. That depends. If you want a policy that adds two accounts, then you won't be able to use Casper's FileVault 2 management. Casper is set up to add one account at time of encryption (either the current user or the Casper admin account.)

  2. I've got a couple of posts on recovery:

  1. Nope. If a user is authorized to log in at the FileVault 2 pre-boot login screen, they can decrypt their FileVault 2-encrypted Mac. My recommendation there is to set an IT policy against decrypting and then use Casper to monitor for unencrypted machines/

I also recommend that you check out the talk I gave at Penn State MacAdmins 2012. It covers a lot about recovery keys and how they work:

My blog has a number of posts on FileVault 2 as well:

New Contributor III

Rich's knowledge and links are excellent. I'd also recommend you read Apple's FileVault 2 whitepaper: