Posted on 07-27-2011 08:26 AM
I just wanted to get a feel for what others thought about this subject. I have been asked by the powers that be at my work about the possibility of using Lion's FileVault 2 for whole disk encryption at work here. While I think it is a good alternative for individuals, I don't really think it would be a good thing for a buisiness for several reasons, like no centralized management, the users would have to be local admins, have to rely on clients, or Apple for recovery key, etc. I don't miss any points when I report back to management here.
Posted on 07-27-2011 09:56 AM
This may not be a concern if you're not in the US Government space, but FV2 isn't FIPS 140-2 certified as yet. +1 to the lack of centralized key escrow (and I don't mean with Apple).
Charlie Smith
Desktop Engineer
Information Services Department (ISD)
MIT Lincoln Laboratory
244 Wood St. Lexington, MA 02420
Phone: 781.981.0854
Posted on 07-27-2011 09:59 AM
Agree with what's been put forth already. +1 on key management. Need a way to recover in the event of that an employee is no longer with the company etc.
Question – I missed that FV2 would require that you be a local admin – is that true- why?
Matt Bentley
Posted on 07-27-2011 10:12 AM
This is not 100% true. You can preinstall a recovery key on the machine and are able to unlock it later.
Posted on 07-27-2011 10:22 AM
Can you explain how this can be done.
Posted on 07-27-2011 10:28 AM
Pretty much holds true for Lion. Look at the "Preparing for FileVault" section.
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
Posted on 07-27-2011 10:41 AM
I did not see any way of "setting" the recovery key on a single machine, let alone using the same recovery key for all the machines. I know you can set the master password for file vault previous releases. I didn't think you could do this with Lion. If you know where these settings can be made can you please let me know.
Posted on 07-27-2011 10:49 AM
The dev forums has a good thread on it:
The gist is encrypt a test machine and then take a copy of /Library/Keychains/FileVaultMaster.keychain
Remove the private key from that keychain.
Distribute keychain as part of your imaging process.
The user will then be allowed to encrypt but will be informed that the recovery key has already been set. (See screenshot)
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420

Posted on 07-27-2011 04:06 PM
Charles Edge and I have been going around with this. Don't think it's possible to use the key to decrypt, based upon not only Charles' tests but what Rich Trouton was told at WWDC.
I performed my configuration for FV1 as Jared posted to the list. The FileVaultMaster.keychain (sans private key) and FileVaultMaster.cer files do get deployed to a Lion system, and you do see the dialog about the recovery key being installed, but again, don't think it's possible to use that to decrypt a drive, yet. Whether this will be Profile Manager or some other way to make this work, hang on, still being determined (I'm going to open an AppleCare Enterprise case on this).
This is the big reason to "hang on" with respect to FileVault 2 for corporate use right now. Also some issues with network users (have to love this *thorough* kBase article:
Posted on 07-27-2011 04:32 PM
You're opening a what? Surely you mean Starship Enterprise. Or Enterprise Rent-A-Car. AppleCare What?
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
Posted on 07-27-2011 05:14 PM
I can confirm this with my own testing. You can set a recovery key using FileVaultMaster.keychain, but you're unable to decrypt with it yet. The workaround at this point is to unlock and/or decrypt using the passphrase of an authorized user. You can do this through Disk Utility or via the command line using the following commands:
To find the UUID for the encrypted volume: diskutil cs list
To unlock: diskutil corestorage unlockVolume UUID_here -stdinpassphrase
To unencrypt: diskutil corestorage revert UUID_here -stdinpassphrase
The -stdinpassphrase flag will cause the command to prompt you for the password/passphrase of an account that’s authorized to unlock the encryption.
Posted on 08-22-2011 08:58 AM
Have any of you seen an update to this yet? We too are looking to
centrally manage our recovery key, but if you can't decrypt what is the
James Fuller | Client Productivity Engineering | senior systems engineer