TweetFollow Us on Twitter

MacEnterprise: FileVault in the Enterprise, Part 1

Volume Number: 24 (2008)
Issue Number: 07
Column Tag: Security

MacEnterprise: FileVault in the Enterprise, Part 1

Data security for OS X administrators

By Greg Neagle, MacEnterprise.org

Data Security

Data security is a hot topic in Enterprise IT these days. As laptop usage increases, pushing out traditional desktops, the risk to company data is greater than ever. If a laptop is stolen or lost, the replacement cost of the hardware may be a pittance compared to the value of the data stored on the laptop's hard drive.

Therefore many companies are mandating some sort of data encryption for company laptops. If a laptop is then stolen or lost, the data would be inaccessible to the thief. "Whole-disk encryption" is a direction many companies are moving toward, but as of this writing, there are no shipping products that will encrypt a Mac boot volume (although some companies have products in the beta stage). So Mac administrators must work with what is available: a technology Apple calls "FileVault," which secures users' home directories with AES-128 encryption.

In part one of this series, we'll cover preparation and implementation of FileVault in an enterprise environment.

In part two, we'll examine some of the issues you may encounter when implementing and supporting FileVault in an enterprise environment, and techniques and tools to use to deal with some of these issues.

FileVault - encryption for user data

FileVault works by storing a user's files in an encrypted disk image file. Disk images are familiar to OS X administrators — many large organizations set up their OS X machines by restoring a disk image to the machine's hard drive, and many software installers are distributed in the form of disk image files. FileVault uses a disk image that is encrypted with the user's login password. When the user logs in, his or her password is used to unlock the disk image. The image is then mounted under /Users/<username> and for the most part, looks and behaves like a normal user home folder.

There are two primary risks associated with implementing FileVault for your users. The first is that they forget their password and cannot access their data. Since the password is the same as the login password, this seems an unlikely scenario, but there are other ways a user can lock themselves out of a FileVault-protected account. It's not uncommon for organizations to implement a web page that all users can go to change their password. If, however, a user with a FileVault-protected account does this, the FileVault disk image is not updated with the new password – this only happens if you use the Accounts preferences pane to change your password. Another way the password can get out of sync is if the user has multiple machines, and changes their password on a machine other than the laptop with the FileVault-encrypted home directory. Apple has provided a way for administrators to unlock FileVault disk images – this is the FileVault "master password". We'll look at this later in the article.

The second primary risk associated with FileVault is data corruption. Under Tiger, FileVault-protected home directories are encrypted disk images, and since a disk image is a single file, corruption of that single file can lead to the loss of the entire FileVault home directory. This type of corruption is rare, but is possible. In Leopard, FileVault now uses "sparsebundles" as the disk image format. This stores the disk image data in multiple files within an enclosing directory. Apple claims better performance, and importantly, better reliability, which presumably means that disk image corruption is even less likely. Your best defense against data corruption is backups. Backups are always important for enterprise data, but they are even more important for FileVault-protected data.

Preparing for FileVault

Before implementing FileVault in your organization, you might want to do some prep work. The most important bit of prep work is to set the FileVault master password for all your machines. This is the password you can use to get access to a FileVault-protected disk image if the user's password has been forgotten or is otherwise not available. In order to be useful, you almost certainly want this master password to be the same on all the machines you manage.


10.5's Security Preference pane – FileVault tab

To do this, you'll create a FileVault master password on one machine, and then copy certain files to all your managed machines. Open the Security preference pane and click Set Master Password. Since this will be deployed to all your managed machines, and since changing it (and propagating that change to existing FileVault-protected accounts) is difficult, make sure it's a non-trivial password, and do not make it the same as any other admin or root password you have in use. Use the Password Assistant to check on the quality of your chosen password.

Two new files are created in /Library/Keychains: FileVaultMaster.cer, and FileVaultMaster.keychain.

To implement the FileVault master password on all the machines you manage, simply install these two files on all your managed machines. You can use any method to do this (put them in your install image, using ARD, radmind, FileWave, etc), but make sure they are in place before FileVault is turned on for any accounts on a given machine. If FileVault has been turned on before these FileVaultMaster files are installed, the pre-existing FileVault-protected accounts cannot be unlocked using the FileVault master password you just created.

The second most important preparation task is to ensure you have a method to backup user's home directories. If you are using Mobile Accounts and Portable Home Directories, you can simply back up the network home directories on the server. If you can't use Portable Home Directories, you may decide to use something like Retrospect or Time Machine to directly backup user home directories.

You may or may not want to implement the next preparation task: turning on password hints. If your users forget their passwords, in order to get a prompt to allow an administrator to unlock the account using the master password, Show password hints must be turned on in the Accounts preference pane, under Login Options, or if you are managing your clients via MCX, in Workgroup Manager, manage this Preference under Login->Login Window, checking Show password hint when needed and available. One last option is to do this via command-line, perhaps as part of a script:

sudo defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint 3

In Tiger, this setting is labeled Show password hint after 3 attempts to enter a password in Workgroup Manager's preference management settings.

Additionally, the MasterPasswordHint key must exist in the defaults keys for /Library/Preferences/com.apple.loginwindow. Normally, this is set when you create the FileVault master password via the Security preferences pane. But if you simply distribute the /Library/Keychains/FileVaultMaster.cer and /Library/Keychains/FileVaultMaster.keychain files to other machines you manage, this key will probably not be set.

sudo defaults write /Library/Preferences/com.apple.loginwindow MasterPasswordHint ""

will do the job. (It's OK to have an empty hint, but the key must exist.)

Enabling password hints is itself considered a security risk in many organizations, so consider if you really want to do this. If you don't, there is no way from the GUI for an admin to recover a FileVault-protected home directory — but an admin can still do so from the command line.

The final preparation task is training. Train your tech support staff on FileVault, and provide a method for your users to find out more about FileVault as well. The better you document and train, the higher users acceptance will be.

Local preparation

There are a few things you can do on the local machine before turning on FileVault that will increase your odds of success. First, make sure the startup disk is healthy. Run Disk Utility to verify, and if needed, repair the startup disk. Second, minimize the amount of data that needs to be copied to the encrypted disk image - delete unneeded files. Empty the trash. rm -R /Users/username/Library/Caches/* to get rid of cache files. If you use Norton/Symantec AntiVirus, turn off AutoProtect. This will speed up creation of the new disk image and avoid issues where Norton AutoProtect interferes with disk image creation. (But be sure to turn it back on later!)

Finally, make sure there is enough free disk space on the startup disk for the FileVault conversion. When FileVault is enabled for an account, an encrypted disk image is created, everything is copied from the "unencrypted" home directory to the encrypted disk image, and finally the items in the unencrypted home directory are deleted. This means that you must have more free space on the hard drive than the size of the home directory you are encrypting. If the user has 60GB of data in his or her home directory, there needs to be more than 60GB free on the hard drive.

Turning on FileVault

Turning on FileVault is straightforward. Log in as the user for which you'd like to turn on FileVault. In the Security preferences pane, click the "Turn On FileVault..." button. If the preference pane is locked, you'll be asked to enter an admin password (which may effectively prevent users from turning on FileVault by themselves). You'll then be prompted for the user's account password (which may effectively prevent admins from turning on FileVault for users without their involvement). You'll be presented with one last dialog, informing you of the dire consequences that await you should you forget your login password and lose the master password.


FileVault confirmation dialog

New to Leopard is the option to turn on secure virtual memory from this dialog; in both Leopard and Tiger it can also be turned on in the Security preference pane. Also note the check box labled "Use secure erase". You should check this. If you do not, when OS X removes the original home folder after creating the FileVault disk image, it is possible to recover some or all of the data using an unerase or file rescue utility. This could defeat much of the purpose of turning on FileVault.

Once you click "Turn On FileVault" in this final confirmation dialog, the current user will be logged out and the FileVault conversion process will start. If anything interrupts the logout (such as cancelling when asked what to do with an unsaved document), the FileVault conversion will be cancelled and you'll have to visit the Security preference pane to start again from the beginning.

If the FileVault conversion process fails for any reason, the partially-created encrypted disk image is removed, and the original home directory is left untouched. Possible reasons for failure of the FileVault conversion are a full hard drive; drive or file system errors or failures; and anti-virus scanning of the drive image.

Automating FileVault

New to Leopard is the ability to enable FileVault protection when creating new accounts, or creating mobile accounts. This saves a step: you no longer have to create the account, then login and turn on FileVault. More importantly, you can use MCX policies to enforce FileVault so that it is automatically turned on for all new mobile and local accounts.

Enforcing FileVault on mobile accounts is straightforward using Workgroup Manager. There is a new checkbox in Mobility preferences under Account Creation Options, labeled Encrypt contents with FileVault.

Apple doesn't make enforcing FileVault for local accounts quite as easy to discover or implement, but it is possible.

In Workgroup Manager, choose a Computer or ComputerGroup to manage, click the Preferences icon in the toolbar, then select the Details pane. Click the "+" button to add a new preference domain. Navigate to /Applications and double-click on the System Preferences app.

You should now have the com.apple.systempreferences domain available to you, and it should look like this:


Preferences details in Workgroup Manager

Double-click the entry for com.apple.systempreferences, and delete all the imported keys - we don't want any of them. Turn down the Always dictionary, and add a new key like this:


Managing com.apple.systempreferences keys

Save your changes.

Once the updated management settings become available on your managed client machines, you'll see that when creating a new local account, the Turn on FileVault protection checkbox is pre-selected, and disabled so that it cannot be deselected. All new local accounts will automatically have FileVault turned on as they are created.


FileVault enforced for local accounts

To be continued...

We've prepared our infrastructure, enabled FileVault on existing user accounts, and looked at options for enforcing FileVault for all new accounts. In part two of this series, we'll look at some issues you and your users might encounter, and what you can do to manage these issues.


Greg Neagle is a member of the steering committee of the Mac OS X Enterprise Project (macenterprise.org) and is a senior systems engineer at a large animation studio. Greg has been working with the Mac since 1984, and with OS X since its release. He can be reached at gregneagle@mac.com. The MacEnterprise project is a community of IT professionals sharing information and solutions to support Macs in an enterprise. We collaborate on the deployment, management, and integration of Mac OS X client and server computers into multi-platform computing environments.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

WhiteCap 6.6 - Visual plug-in for iTunes...
WhiteCap is a sleek and sophisticated music visualizer and screensaver that features futuristic, wireframe mesh visuals with dynamic backgrounds and colors. WhiteCap contains thousands of visual... Read more
VOX 2.8.14 - Music player that supports...
VOX just sounds better! The beauty is in its simplicity, yet behind the minimal exterior lies a powerful music player with a ton of features and support for all audio formats you should ever need.... Read more
Paparazzi! 1.0b2 - Make user-defined siz...
Paparazzi! is a small utility for OS X that makes screenshots of webpages. This very simple tool takes screenshots of websites which do not fit on one screen. You specify the desired width, minimal... Read more
Carbon Copy Cloner 4.1.13 - Easy-to-use...
Carbon Copy Cloner backups are better than ordinary backups. Suppose the unthinkable happens while you're under deadline to finish a project: your Mac is unresponsive and all you hear is an ominous,... Read more
TrailRunner 3.8.832 - Route planning for...
TrailRunner is the perfect companion for runners, bikers, hikers, and all people wandering under the sky. Plan routes on a geographical map. Import GPS or workout recordings and journalize your... Read more
VueScan 9.5.65 - Scanner software with a...
VueScan is a scanning program that works with most high-quality flatbed and film scanners to produce scans that have excellent color fidelity and color balance. VueScan is easy to use, and has... Read more
Adobe Illustrator CC 2017 21.0.2 - Profe...
Illustrator CC 2017 is available as part of Adobe Creative Cloud for as little as $19.99/month (or $9.99/month if you're a previous Illustrator customer). Adobe Illustrator CC 2017 is the industry... Read more
iDefrag 5.1.7 - Disk defragmentation and...
iDefrag helps defragment and optimize your disk for improved performance. Features include: Supports HFS and HFS+ (Mac OS Extended). Supports case sensitive and journaled filesystems. Supports... Read more
Quicken 4.4.2 - Complete personal financ...
Quicken makes managing your money easier than ever. Whether paying bills, upgrading from Windows, enjoying more reliable downloads, or getting expert product help, Quicken's new and improved features... Read more
iDefrag 5.1.7 - Disk defragmentation and...
iDefrag helps defragment and optimize your disk for improved performance. Features include: Supports HFS and HFS+ (Mac OS Extended). Supports case sensitive and journaled filesystems. Supports... Read more

5 dastardly difficult roguelikes like th...
Edmund McMillen's popular roguelike creation The Binding of Isaac: Rebirth has finally crawled onto mobile devices. It's a grotesque dual-stick shooter that tosses you into an endless, procedurally generated basement as you, the pitiable Isaac,... | Read more »
Last week on PocketGamer
Welcome to a weekly feature looking back on the past seven days of coverage on our sister website, PocketGamer. It’s taken a while for 2017 to really get going, at least when it comes to the world of portable gaming. Thank goodness, then, for... | Read more »
ROME: Total War - Barbarian Invasion set...
To the delight of mobile strategy fans, Feral Interactive released ROME: Total War just a few months ago. Now the game's expansion, Barbarian Invasion is marching onto iPads as a standalone release. [Read more] | Read more »
Yuri (Games)
Yuri 1.0 Device: iOS iPhone Category: Games Price: $3.99, Version: 1.0 (iTunes) Description: It's night. Yuri opens his eyes. He wakes up in a strange forest.The small, courageous explorer rides on his bed on casters in this... | Read more »
Space schmup Xenoraid launches on the Ap...
10Tons Xenoraid is out today on the App Store, bringing some high-speed space action to your mobile gadgets just in time for the weekend. The company's last premium title, another sci-fi game titled Neon Chrome, did quite well for itself, so... | Read more »
Star Wars: Force Arena Beginner's G...
Star Wars: Force Arena joined the populous ranks of Star Wars games on mobile today. It's a two-lane MOBA starring many familiar faces from George Lucas's famed sci-fi franchise. As with most games of this nature, Force Arena can be a little obtuse... | Read more »
Mysterium: The Board Game (Games)
Mysterium: The Board Game 1.0 Device: iOS Universal Category: Games Price: $6.99, Version: 1.0 (iTunes) Description: The official adaptation of the famous board game Mysterium! | Read more »
Sonny (Games)
Sonny 1.0.4 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0.4 (iTunes) Description: Reimagined for iOS, cult-hit RPG Sonny brings challenging turn-based combat that requires strategy and mastery of each new skill to... | Read more »
Towaga (Games)
Towaga 1.0 Device: iOS iPhone Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: "It has been foretold that a masked being would stand atop the legendary Towaga Temple, dwelling among shadows to fulfil The Black Moon... | Read more »
Bubble Witch 3 Saga Guide: How to get th...
King's bringing its fairytale bubble-popping puzzler back for its 3rd outing in Bubble Witch 3 Saga. If you're familiar with the series, not much has changed here on the surface level, though you'll likely be pleased with the improvements. If you'... | Read more »

Price Scanner via MacPrices.net

Opera Announces Neon Concept Browser For Mac
Opera is inviting users to get a glimpse of what Opera for computers could become with its Opera Neon browser concept. Each Opera Neon feature is described as “an alternate reality” for the Opera... Read more
Tellini Releases TabView 3.0 Missing Tool fo...
Tellini has announced the release of TabView 3.0. TabView has been the first macOS viewer for PowerTab tablatures. PowerTab is a well-known and widely adopted tablature editor for Windows systems and... Read more
13-inch 1.6GHz/128GB MacBook Air on sale for...
Overstock.com has the 1.6GHz/128GB 13″ MacBook Air on sale for $130 off MSRP including free shipping: - 13″ 1.6GHz/128GB MacBook Air (MMGF2LL/A): $869.99 $130 off MSRP Their price is the lowest... Read more
12-inch 32GB Space Gray iPad Pro on sale for...
B&H Photo has 12″ Space Gray 32GB WiFi Apple iPad Pros on sale for $55 off MSRP including free shipping. B&H charges sales tax in NY only: - 12″ Space Gray 32GB WiFi iPad Pro: $744.44 $55 off... Read more
9-inch 32GB Space Gray iPad Pro on sale for $...
B&H Photo has the 9.7″ 32GB Space Gray Apple iPad Pro on sale for $549 for a limited time. Shipping is free, and B&H charges NY sales tax only. Read more
Apple iMacs on sale for up to $120 off MSRP,...
B&H Photo has 21″ and 27″ Apple iMacs on sale for up to $120 off MSRP, each including free shipping plus NY sales tax only: - 27″ 3.3GHz iMac 5K: $2199 $100 off MSRP - 27″ 3.2GHz/1TB Fusion iMac... Read more
Apple refurbished Apple TVs available for up...
Apple has Certified Refurbished 32GB and 64GB Apple TVs available for up to $30 off the cost of new models. Apple’s standard one-year warranty is included with each model, and shipping is free: -... Read more
1.4GHz Mac mini, refurbished, available for $...
The Apple Store has Apple Certified Refurbished 1.4GHz Mac minis available for $419. Apple’s one-year warranty is included, and shipping is free. Their price is $80 off MSRP, and it’s the lowest... Read more
16GB iPad Air 2, Apple refurbished, available...
Apple has Certified Refurbished 16GB iPad Air 2s available for $319 including free shipping. A standard Apple one-year is included. Their price is $60 off original MSRP for this model. Read more
Mac Pros on sale for $200 off MSRP, refurbish...
B&H Photo has Mac Pros on sale for $200 off MSRP. Shipping is free, and B&H charges sales tax in NY only: - 3.7GHz 4-core Mac Pro: $2799, $200 off MSRP - 3.5GHz 6-core Mac Pro: $3799, $200... Read more

Jobs Board

*Apple* Premier Retailer - Service Technicia...
DescriptionSimply Mac is the largest premier retailer for Apple products and solutions. At Simply Mac we are all Apple , all the time. Same products. Same prices. Read more
*Apple* Premier Retailer - Service Technicia...
DescriptionSimply Mac is the largest premier retailer for Apple products and solutions. At Simply Mac we are all Apple , all the time. Same products. Same prices. Read more
*Apple* Premier Retailer - Service Manager -...
DescriptionSimply Mac is the largest premier retailer for Apple products and solutions. At Simply Mac we are all Apple , all the time. Same products. Same prices. Read more
*Apple* Retail - Multiple Positions- Crows N...
Job Description: Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
*Apple* & PC Desktop Support Technician...
Apple & PC Desktop Support Technician job in Los Angeles, CA Introduction: We have immediate job openings for several Desktop Support Technicians with one of our Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.