FileVault 2 wont enable.

jwojda
Valued Contributor II

I've spent my day working with FV2 and VMWare images. Now that I have the VMWare imaging issues resolved, i moved on to testing the FV2 (which is why I was messing with VMWare in the first place).

When I follow Rich's guide to enable FV through Self Service - I ran into a problem that seemed to stem from the root user being disabled - according to https://jamfnation.jamfsoftware.com/discussion.html?id=7051. for giggles I removed the command from the firstboot script and rebuilt the machine (a VM and a MBP) Lo and behold when I log out of SS it prompts to enter my PW (yay!!!) and then immedately throws up the following message (slightly paraphrased) (boo!!!).

There was a problem enabling FV on your computer. You should use system preferences security & privacy to view or change filevault.

The only thing in the log when I search for "filevault" is

ManagedClient[597]: MCX.doCmdLogout: setupFileVaultFDE enable returned 18

3 ACCEPTED SOLUTIONS

rtrouton
Valued Contributor III

If the source of the error was fdesetup, that corresponds to this:

18                 Unexpected keychain found error.

That error means that fdesetup was set to use an individual recovery key, but fdesetup found a FileVaultMaster.keychain file in /Library/Keychains.

I'd recommend checking your VM's /Library/Keychains folder for FileVaultMaster.keychain. If one's there, remove it and restart. After the restart, log in as the account you were logged in as, log out and see if you are prompted for your password again.

If not, log back in and re-run the policy via Self Service.

Here's the list of error codes that fdesetup can generate. All are listed on the fdesetup man page:

http://www.manpagez.com/man/8/fdesetup/

EXIT STATUS
     The exit status of the tool is set to indicate whether any error was detected. The values returned are:

     0                  No error, or successful operation.

     1                  FileVault is Off.

     2                  FileVault appears to be On but Busy.

     11                 Authentication error.

     12                 Parameter error.

     13                 Unknown command error.

     14                 Bad command error.

     15                 Bad input error.

     16                 Legacy FileVault error.

     17                 Added users failed error.

     18                 Unexpected keychain found error.

     19                 Keychain error. This usually means the FileVaultMaster keychain could not be moved or replaced.

     20                 Deferred configuration setup error.

     21                 Enable failed (Keychain) error.

     22                 Enable failed (CoreStorage) error.

     23                 Enable failed (DiskManager) error.

     24                 Already enabled error.

     25                 Unable to remove user.

     99                 Internal error.

View solution in original post

jwojda
Valued Contributor II

Thank you! I was looking for that list, my googlefu failed me.

i checked the keychain app and found nothing, but when I went to /library/keychains it was there. I removed and it prompted/encrypted as expected.

Now I gotta figure out what's causing the creation of that keychain and unlock the root user...

View solution in original post

Josh_S
Contributor III

The FileVaultMaster keychain is created when you use the "Set Master Password..." option in the "Users & Groups" System Preference. Are you, or someone else, doing this as part of your initial setup?

View solution in original post

13 REPLIES 13

rtrouton
Valued Contributor III

If the source of the error was fdesetup, that corresponds to this:

18                 Unexpected keychain found error.

That error means that fdesetup was set to use an individual recovery key, but fdesetup found a FileVaultMaster.keychain file in /Library/Keychains.

I'd recommend checking your VM's /Library/Keychains folder for FileVaultMaster.keychain. If one's there, remove it and restart. After the restart, log in as the account you were logged in as, log out and see if you are prompted for your password again.

If not, log back in and re-run the policy via Self Service.

Here's the list of error codes that fdesetup can generate. All are listed on the fdesetup man page:

http://www.manpagez.com/man/8/fdesetup/

EXIT STATUS
     The exit status of the tool is set to indicate whether any error was detected. The values returned are:

     0                  No error, or successful operation.

     1                  FileVault is Off.

     2                  FileVault appears to be On but Busy.

     11                 Authentication error.

     12                 Parameter error.

     13                 Unknown command error.

     14                 Bad command error.

     15                 Bad input error.

     16                 Legacy FileVault error.

     17                 Added users failed error.

     18                 Unexpected keychain found error.

     19                 Keychain error. This usually means the FileVaultMaster keychain could not be moved or replaced.

     20                 Deferred configuration setup error.

     21                 Enable failed (Keychain) error.

     22                 Enable failed (CoreStorage) error.

     23                 Enable failed (DiskManager) error.

     24                 Already enabled error.

     25                 Unable to remove user.

     99                 Internal error.

View solution in original post

jwojda
Valued Contributor II

Thank you! I was looking for that list, my googlefu failed me.

i checked the keychain app and found nothing, but when I went to /library/keychains it was there. I removed and it prompted/encrypted as expected.

Now I gotta figure out what's causing the creation of that keychain and unlock the root user...

View solution in original post

Josh_S
Contributor III

The FileVaultMaster keychain is created when you use the "Set Master Password..." option in the "Users & Groups" System Preference. Are you, or someone else, doing this as part of your initial setup?

View solution in original post

jwojda
Valued Contributor II

....
Why yes we are. You're a genius!

DanGIT
New Contributor

Apple OS X: How to create and deploy a recovery key for FileVault 2
http://support.apple.com/kb/HT5077

MrP
Contributor III

And here I thought it was a limitation of a virtual environment. *hatsoff*

jbaranski
New Contributor

I'm having the same issue, I deleted the FileVaultMaster.keychain file in /Library/Keychains but when I log out and enter my password it gives me the same error and then the FileVaultMaster.keychain re-appears.

rflois
New Contributor

I'm getting the following when trying to enable FileVault using our institutional key:

Apr 4 10:31:24 franky-mbpr ManagedClient[635]: MCX.doCmdLogout: setupFileVaultFDE enable returned 188

I can't find what that error code means.

Chris
Valued Contributor

I think i saw that one recently on a machine that had no recovery partition

yellow
Contributor

Chris is correct. Error 188 means that it cannot find a Recovery Partition, which is a requirement for FileVault 2.

For modern Macs, we will usually do an internet recovery install of OS X (which creates a Recovery Partition) for Macs we know will be FV'd. Alternately, for older Macs that don't have the ability to do an internet recovery, I've have tons of success with "Recovery Partition Creator".

richmac
New Contributor III

Has anyone had an issue with fdesetup where the exit status is always "0" no matter what the outcome?

Im using the plist method posted here https://jamfnation.jamfsoftware.com/discussion.html?id=11869

When the script runs "sudo fdesetup add -i < /tmp/fvenable.plist" and I purposely enter the incorrect password I get the response "Error: Unable to add user 'username' to existing FileVault because the user could not be authenticated".

Right below this line in the script is "if [ $? = 0 ]; then" which returns a "0 = 0" value and continues even thou it failed.

Here is the part of the script

until [ $counter = 2 ]; do
    sudo fdesetup add -i < /tmp/fvenable.plist
        if [ $? = 0 ]; then
            counter=2
        fi  
done

Here is the result, im using "set -x" to see these results.
+ sudo fdesetup add -i
Error: Unable to add user 'username' to existing FileVault because the user could not be authenticated.
+ '[' 0 = 0 ']'
+ counter=2
+ '[' 2 = 2 ']'

mattbomarc1
New Contributor

Bump. I have started getting the same error that @richmac has:

Error: Unable to add user 'username' to existing FileVault because the user could not be authenticated.

Has anybody gotten this figured out?

richmac
New Contributor III

@mattbomarc1 i did solve this, if i remember correctly i had to define $4 and $5 as variables first. For some reason the values set within casper for $4 and $5 were not being passed into the plist data.

Leave the values set within casper for $4 and $5 and add these to the top of your script:

adminAcc="$4"
adminPass="$5"

Then replace $4 and $5 within the xml with the variables as below

create_plist () {
    echo '<?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>Username</key>
    <string>'$adminAcc'</string>
    <key>Password</key>
    <string>'$adminPass'</string>
    <key>AdditionalUsers</key>