FileVault 2 - With or Without Private Key?

tuinte
Contributor III

Good day JAMFNation!

All machines are running 10.8.5. JSS is 9.23. I've never dealt with FileVault in a non-security preference pane capacity.

I've been following JAMF's guide at http://resources.jamfsoftware.com/documents/technical-papers/Administering-FileVault-2-on-OS-X-Mount... and rtrouton's keynote at https://derflounder.wordpress.com/2013/10/17/slides-from-the-filevault-2-session-at-jamf-nation-user..., which has been an incredible resource.

In JAMF's guide, there are instructions for exporting an institutional recovery key with a private key and instructions for exporting one without a private key. Rtrouton's keynote similarly has him exporting both, one with a private key and one without. Then he creates two Disk Encryption Configurations, one with each of his exports ("FileVault with Institutional Key" and "FileVault with Institutional Public Key").

When might you use one or the other in terms of deployment to clients? This isn't clicking for me.

Michael

4 ACCEPTED SOLUTIONS

alexjdale
Valued Contributor III

Im not sure why you would want to upload the private key, since that should only be used for last-ditch recovery efforts in my opinion. Our private key is isolated and physically locked up with very restricted access, since it could be used to decrypt any system. It's not in the JSS at all.

I may be missing something, but I don't see the benefit of uploading the private key unless your security requirements are not all that strict and you value the convenience.

View solution in original post

RobertHammen
Valued Contributor II

It used to be that you couldn't even enable FV2 if the private key was embedded in the /Library/Keychains/FileVaultMaster.keychain - haven't tested this on newer OSes, and that's certainly not what you would want to do/use. The keychain with the private key should be escrowed someplace safe (i.e. on an encrypted USB flash drive locked in a file cabinet, sealed with "In case of emergency, break seal" on it).

View solution in original post

alexjdale
Valued Contributor III

We actually don't enable our local admin account for FV because that creates a similar security risk as the private key (one password that can bypass encryption for all of our laptops). We use the Recovery key whenever we need access to a system that is not booted.

I actually have FV enabled via a script which runs once a day for new systems until FV is active in some way (deferred mode or encrypted). If the current logged in user is our administrator account, the script exits (so it doesn't kick in during setup). Otherwise, FV is enabled for the currently logged in user and they get the prompt for their password on logout. It's been working well so far and is automated to where our techs don't need to think about it.

View solution in original post

rtrouton
Release Candidate Programs Tester

@alexjdale,

The answer to this question is going to depend on whether the laptops in question running OS X 10.8.x or 10.9.x. Since they're all running 10.8.5 according to your description, your existing admin account can actually enable itself.

I've got a post on the differences between the two OSs, which includes a description of how 10.8.x admin accounts can enable themselves for FileVault 2:

http://derflounder.wordpress.com/2013/10/24/enabling-users-for-filevault-2-with-a-non-enabled-admin-...

For 10.9.x Macs, I recommend taking a look at page 27 of JAMF's Administering FileVault 2 on OS X Mavericks with the Casper Suite, Version 9.2 or Later documentation:

http://www.jamfsoftware.com/resources/administering-filevault-2-on-os-x-mavericks-with-the-casper-su...

View solution in original post

7 REPLIES 7

alexjdale
Valued Contributor III

Im not sure why you would want to upload the private key, since that should only be used for last-ditch recovery efforts in my opinion. Our private key is isolated and physically locked up with very restricted access, since it could be used to decrypt any system. It's not in the JSS at all.

I may be missing something, but I don't see the benefit of uploading the private key unless your security requirements are not all that strict and you value the convenience.

RobertHammen
Valued Contributor II

It used to be that you couldn't even enable FV2 if the private key was embedded in the /Library/Keychains/FileVaultMaster.keychain - haven't tested this on newer OSes, and that's certainly not what you would want to do/use. The keychain with the private key should be escrowed someplace safe (i.e. on an encrypted USB flash drive locked in a file cabinet, sealed with "In case of emergency, break seal" on it).

tuinte
Contributor III

Understood. Thanks very much for the clarification(s).

Another question:

The goal is to push FV2 out to all our users (~400) over the next month. In tests, I have it pushing OK, deferring the current/next user logout. The policy is indeed pushing encryption out and prompting users for passwords, but then how do I enable our local admin accounts? I've been reading a lot on the subject, and perhaps I've just swam out to deep without enough knowledge as to what advice pertains to me. I'd like to avoid the GUI, but any kind of automation seems to require a previously enabled username/password combo, and I wouldn't have access to a user's password. What's the solution?

Michael

alexjdale
Valued Contributor III

We actually don't enable our local admin account for FV because that creates a similar security risk as the private key (one password that can bypass encryption for all of our laptops). We use the Recovery key whenever we need access to a system that is not booted.

I actually have FV enabled via a script which runs once a day for new systems until FV is active in some way (deferred mode or encrypted). If the current logged in user is our administrator account, the script exits (so it doesn't kick in during setup). Otherwise, FV is enabled for the currently logged in user and they get the prompt for their password on logout. It's been working well so far and is automated to where our techs don't need to think about it.

rtrouton
Release Candidate Programs Tester

@alexjdale,

The answer to this question is going to depend on whether the laptops in question running OS X 10.8.x or 10.9.x. Since they're all running 10.8.5 according to your description, your existing admin account can actually enable itself.

I've got a post on the differences between the two OSs, which includes a description of how 10.8.x admin accounts can enable themselves for FileVault 2:

http://derflounder.wordpress.com/2013/10/24/enabling-users-for-filevault-2-with-a-non-enabled-admin-...

For 10.9.x Macs, I recommend taking a look at page 27 of JAMF's Administering FileVault 2 on OS X Mavericks with the Casper Suite, Version 9.2 or Later documentation:

http://www.jamfsoftware.com/resources/administering-filevault-2-on-os-x-mavericks-with-the-casper-su...

rtrouton
Release Candidate Programs Tester

Whoops, that last was directed at @tuinte.

tuinte
Contributor III

@rtrouton
You're the rtrouton from the site. Cool. Thanks so much. I've got it working in what seems like a well-behaved way. Very helpful. 10.9 is on the year-end horizon, so necessary reading for me.

@alexjdale
That makes sense to me. I'll be having a chat with ye olde superiours about this. They were keen on the least intrusive implementation of FV possible, but, of course, that half-defeats the purpose. Great food for thought.