Turn OFF FileVault2

Brad_G
Contributor II

We've been testing using Casper to turn on FileVault2 for our laptop users or desktops where there may be sensitive data. Things are going well on that front. But once a computer has had FV enabled....what are the options to turn it "off"? Looking at @rtrouton site I can see there is a fdesetup disable command that can be run. But it asks for a password or recovery key before it proceeds, even if it's run as a policy via root.

So my thought is to have a script that runs the fdesetup disable command. But not being script savvy I'm not sure how to handle passing the password. I thought I'd use the $4 variable so I don't have a password in the script for the entire JSS to see but use the variable so it's at least secure within my own site.

Thanks for any suggestions on how to script this or what you may be doing in your environment.

2 REPLIES 2

stevewood
Honored Contributor II

Hi @Brad_G

I don't believe you can pass the password directly to the fdesetup command, not even using a plist to input it. The only way I can think that you might be able to do would be to use Expect script to pass the password. This is totally off the cuff, so I would test this A LOT before using in production:

#!/bin/sh

expect <<- DONE
  set timeout -1
  spawn fdesetup disable

  # Look for  prompt
  expect "*?or the recovery key:"
  send ${4}

  expect EOF
DONE

I'm not great with Expect, so again, test, test, test.

https://jamfnation.jamfsoftware.com/discussion.html?id=12143#respond

mm2270
Legendary Contributor II

An expect script will work, but I'm not certain exactly how reliable they are. I would personally do this through diskutil cs. Here's an example...

#!/bin/sh

password="$4"

if [ -z "$password" ]; then
    echo "No password passed to $4"
    exit 1
fi

FV2Stat=$(fdesetup status)

if [[ "$FV2Stat" =~ "FileVault is On" ]] && [[ ! "$FV2Stat" =~ "Encryption in progress" ]]; then
    echo "FileVault 2 is currently on. Disabling..."
    lvUUID=$(diskutil cs list | awk '/Logical Volume/{f=$NF} END{print f}')
    echo "Found lvUUID: $lvUUID"
    diskutil cs decryptLV ${lvUUID} -passphrase "$password"
    exit 0
else
    echo "FileVault 2 is off or doing a CoreStorage operation. Exiting..."
    exit 0
fi

Basically, pull the Logical Volume UUID, then use that in a diskutil cs decryptLV command along with the LVUUID, and pass the password to it, which itself can be passed to the script in $4 to make it a little more secure. Of course, something like this would only work if you have one account that is enabled for encryption on all your Macs, like the Casper service account. Otherwise, you'd have to get the user password into it somehow, like with an Applescript or cocoaDialog window.

The only thing about doing it this way is it actually doesn't start a decryption until the Mac is rebooted. Basically, it schedules it, but since FDE is an at rest type of encryption, its effectively off as soon as the Mac is powered off or restarted. The Mac will boot back up without the usual FV2 login screen.

Note that I haven't really tested the above script. Its just an example, so you'd have to do some testing with your setup to make sure it works.