Posted on 05-01-2013 01:18 PM
So it's coming down from our security team that we need to encrypt our Mac Laptops with some kind of encryption. I've been pouring over the forums, apple's white paper, casper's white paper, and Rich Trouton's video of FV2. I saw that in 10.8.2 there's a bug with AD and FV2, but it wasn't clear if it was fixed in 10.8.3. I have a couple other questions though...
What's the difference between the institutionalized and the individual keys and what instance which would be used? I believe the institutionalized keys are ones that IT sets as the password and the individual keys are set per user?
I see the fdesetup is a 10.8.x thing, so casper wouldn't be able to automate the 10.7.x machines?
What's the easiest way to automate the setup of FV2 on a new machine (10.8.x)? Would that be add the 2 local admin accounts and then once the AD user logs in they are set too?
How does recovery work? Say a machine gets dropped or gets somethign spilled on it and they need a new machine. How can we recover the data off the drive? On a PC we pull the drive out and slave it off another machine, put in the recovery key, and everything is unlocked. How does that work?
Is there a way to prevent a user from removing FV2?
Posted on 05-01-2013 01:49 PM
Institutional - The institutional keychain is where you're building a FileVaultMaster.keychain on one machine and distributing it to other machines. I have a post on how to create one from the command line:
This recovery key is designed to be created once, then distributed to many machines.
During the video of my session from JNUC 2012, I've got a section where I talk about creating a FileVaultMaster.keychain file from the command line, exporting the recovery key parts so that Casper can import it either as a .p12 file or a .cer file, then uploading it to the Casper server.
I've also got the process described in the keynote slides from my session:
Individual - In the absence of a properly configured FileVaultMaster.keychain on a Mac, FileVault 2 will generate an alphanumeric recovery key for the machine. This recovery key is unique to each machine. It is not per-user, it is per machine.
For that, I recommend either upgrading those Macs to 10.8.x, or using a tool like Cauliflower Vest's csfde command line tool to encrypt them:
That depends. If you want a policy that adds two accounts, then you won't be able to use Casper's FileVault 2 management. Casper is set up to add one account at time of encryption (either the current user or the Casper admin account.)
I've got a couple of posts on recovery:
I also recommend that you check out the talk I gave at Penn State MacAdmins 2012. It covers a lot about recovery keys and how they work:
My blog has a number of posts on FileVault 2 as well:
Posted on 05-01-2013 04:57 PM
Rich's knowledge and links are excellent. I'd also recommend you read Apple's FileVault 2 whitepaper: