Giter Club home page Giter Club logo

crypt2's Introduction

Crypt 2

WARNING: As this has the potential for stopping users from logging in, extensive testing should take place before deploying into production.

Crypt 2 is an authorization plugin that will enforce FileVault 2, and then submit it to an instance of Crypt Server. Crypt 2 has been tested against 10.11 and 10.12 - it should in theory work down to 10.9, but test throughly to ensure it works as expected.

Features

  • Uses native authorization plugin so FileVault enforcement cannot be skipped.
  • Escrow is delayed until there is an active user, so FileVault can be enforced when the Mac is offline.
  • Administrators can specify a series of username that should not have to enable FileVault (IT admin, for example).

New in v2.3.0

  • Added support for the use of Institutional Keys along with the default Personal Recovery Key. Just add your master keychain file at '/Library/Keychains/FileVaultMaster.keychain' and Crypt2 will handle the rest during initial Enablement.
  • If the RotateUsedKey preference is True and RemovePlist is False and the file defined by OutputPath is missing from disk, a new Recovery key will be generated at login.
  • OutputPath Preference. More info below.
  • Local Recovery Key validation on 10.12.5+. More info below.
  • Configurable Time Interval for re-escrowing (KeyEscrowInterval) the key if left on disk.

Configuration

Preferences can be set either in /Library/Preferences/com.grahamgilbert.crypt.plist or via MCX / Profiles.

ServerURL

The ServerURL preference sets your Crypt Server. Crypt will not enforce FileVault if this preference isn't set.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt ServerURL "https://crypt.example.com"

SkipUsers

The SkipUsers preference allows you to define an array of users that will not be forced to enable FileVault.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt SkipUsers -array-add adminuser

RemovePlist

By default, the plist with the FileVault Key will be removed once it has been escrowed. In a future version of Crypt, there will be the possibility of verifying the escrowed key with the client. In preparation for this feature, you can now choose to leave the key on disk.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt RemovePlist -bool FALSE

RotateUsedKey

Crypt2 can rotate the recovery key, if the key is used to unlock the disk. There is a small caveat that this feature only works if the key is still present on the disk. This is set to TRUE by default.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt RotateUsedKey -bool FALSE

ValidateKey

Crypt2 can validate the recovery key if it is stored on disk. If the key fails validation, the plist is removed so it can be regenerated on next login. This is set to TRUE by default.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt ValidateKey -bool FALSE

FDEAddUser

Crypt 2 can optionally add new users to be able to unlock FileVault 2 volumes (when the disk is unlocked). This feature works up until macOS 10.12. The default for this is FALSE.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt FDEAddUser -bool TRUE

OutputPath

As of version 2.3.0 you can now define a new location for where the recovery key is written to. Default for this is '/var/root/crypt_output.plist'.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt OutputPath "/path/to/different/location"

KeyEscrowInterval

As of version 2.3.0 you can now define the time interval in Hours for how often Crypt tries to re-escrow the key, after the first successful escrow. Default for this is 1 hour.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt KeyEscrowInterval -int 2

Uninstalling

The install package will modify the Authorization DB - you need to remove these entries before removing the Crypt Authorization Plugin. A script that will do this can be found at Package/uninstall.

Building from source

You will need to configure Xcode to sign the bundle before building. Instructions for this are out of the scope of this readme, and are available on Apple's site.

Credits

Crypt 2 couldn't have been written without the help of Tom Burgin - he is responsible for all of the good code in this project. The bad bits are mine.

crypt2's People

Contributors

erikng avatar grahamgilbert avatar jbaker10 avatar nmcspadden avatar sheagcraig avatar tburgin avatar weswhet avatar

Watchers

avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.