Help

Prevent FileVault Decryption via Yosemite's Pre-Boot Recovery Options?

etippett
Contributor II

Posted on ‎06-09-2015 01:02 PM

As usual, the Der Flounder blog alerts me to new information that may have a significant impact on our environment:
Yosemite’s FileVault 2 pre-boot recovery options

I'm most concerned about the third option ("My keyboard isn't working"), since it allows any FileVault-enabled user to decrypt the drive by supplying their password (side note: how is one supposed to enter their password if their keyboard is not working???). Since the Security and Privacy System Preferences pane is locked, there previously was no way for non-admin users to do this (we also have firmware passwords enabled to prevent them from doing it via the Recovery HD).

Is anyone else concerned about this? If so does anyone have ideas on how to prevent users from being able to do this? The only thing I can think of is removing the Reset Password Wizard app/binary from the Recovery HD, but that seems rather extreme with potentially unwanted side effects.

Thanks!
Eric

Labels:
0 Kudos
Reply
2 REPLIES 2

gskibum
Contributor III

Posted on ‎06-09-2015 05:27 PM

I had a user do the "My keyboard isn't working" thing last week. I wasn't a fly on the wall to see the chain of events, but his keyboard was in fact not working which is what started the whole fiasco. Otherwise this wouldn't have happened. He swapped keyboards to move the process along.

Are you using Casper to deploy FileVault institutional recovery keys?

My user had a recovery key set by using System Preferences/Security & Privacy.

0 Kudos
Reply

etippett
Contributor II

Posted on ‎06-10-2015 05:55 AM

@gskibum We're using Casper but with individual recovery keys. Why do you ask? If I understand the process correctly, it wouldn't matter what kind of key we're using, since all that is needed to decrypt is an enabled user's password.

0 Kudos
Reply