Filevault Indiviual Key Reissue

ocla__09
Contributor

Hello @elliotjordan and others!

Elliot I have been using your Filevault reissue script with success, however I have one machine in particular that keeps erroring out:
Running script reissue_filevault_recovery_key.sh...
Script exit code: 11
Script result: Alerting user washburb about incoming password prompt...
Prompting washburb for their Mac password...
Successfully prompted for Mac password.
Issuing new recovery key...
[WARNING] fdesetup exited with return code: 11.
Adding personal recovery key.
Error running script: return code was 11.

I am a little fuzzy on what "authentication" the error is referring to as it seems like they are putting their password in correctly. There is a profile set up on their machine to redirect keys to the JSS.

Any insight on where to look in this case? Strangely, I also see that there is a key in the JSS for this user, but I am thinking that it is no longer valid at this point.

Any insight would be much apprecitated.

9 REPLIES 9

ocla__09
Contributor

Looks like the good old reboot was all that was needed in this case.

elliotjordan
Contributor III

Glad to hear it!

In case others are curious, you're referring to my workflow for reissuing missing or invalid personal recovery keys by prompting the FileVault-authorized user for their password with a company-branded message: https://github.com/homebysix/jss-filevault-reissue

Here's a handy list of fdesetup exit codes:
https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man8/fdesetup.8.h...

Looks like number 11 is "Authentication error." My script pre-checks to make sure the user is FV-authorized and validates the password with dscl, so I'm not sure what would cause that.

Hello Elliot - I just tested the jss-filevault-reissue script on Monterey Beta 3 and it appears to work as expected. 🙂

ocla__09
Contributor

I have a few other machines exhibiting the behavior of no errors etc, but the the key will not escrow into the JSS. I have tried re provisioning the config profile that automatically directs keys to the JSS as well as rebooting the machine. The output is as below:
Running script reissue_filevault_recovery_key.sh...
Script exit code: 0
Script result: Alerting user "user" about incoming password prompt...
Prompting "user" for their Mac password...
Successfully prompted for Mac password.
Issuing new recovery key...
Displaying "success" message...

One other thing I noticed is that in the Encryption section of their computer record, it does not list our Disk Encryption Configuration. Could this indicate that the machine was not encrypted via Casper and as a result the key escrow would be impossible?
e6f2d1dc088d46e08062bcfd28f64c62

Thanks again!

elliotjordan
Contributor III

Hi @ocla&&09,

If the workflow works, you should see a line that reads, Escrowing recovery key... Since I don't see that in your output, I think the escrow failed (or was not attempted).

You may want to try sudo fdesetup changerecovery -personal -verbose on that Mac to see whether the Escrowing recovery key... output appears. If not, confirm to make sure the profile is working (and no other redirection profiles are installed).

ocla__09
Contributor

So I ran the local command and indeed saw the escrow key part, yet there is still no key in the JSS(!).
fdesetup changerecovery -personal -verbose
Password:
fdesetup: use personal recovery key
fdesetup: device path = /
Enter a password for '/', or the recovery key:
Adding personal recovery key.
New personal recovery key = 'XXXX-XXXX-XXXX-XXXX-XXXX-XXXX'
Escrowing recovery key..

I ran the same command on my machine without the redirect profile and got no escrow as expected, then installed the profile and the key successfully escrowed. So I am confident the profile is working....
I am thinking at this point that either the machine needs to be re enrolled in MDM, or I need to look at the server logs as to why that config profile is failing to send the key to the JSS, do you concur?

ocla__09
Contributor

If the machine was by chance encrypted without Casper would that be a blocker to re escrowing the key?

elliotjordan
Contributor III

Probably not. The whole point of the workflow above is to regenerate a new recovery key for Macs that were encrypted without Casper.

It could be that there's an existing FileVault redirection profile installed that's superseding your org's profile. sudo profiles -Cv should show you all the computer level profiles.

elliotjordan
Contributor III

Hi all! I've got a quick update that may be of interest to you.

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.

Thanks!