TweetFollow Us on Twitter

MacEnterprise: Migrating FileVault

Volume Number: 24
Issue Number: 10
Column Tag: MacEnterprise

MacEnterprise: Migrating FileVault

Moving FileVault-encrypted accounts to a new machine

By Greg Neagle, MacEnterprise.org

Another FileVault challenge

A few issues ago, we looked at implementing FileVault in an enterprise environment. FileVault is Apple's technology for securing the contents of a user's home directory. Your organization may wish to protect its users' data on company laptops, in case a laptop is lost or stolen. Using FileVault is one method to accomplish this goal.

In those earlier issues of MacTech, we looked at preparing for FileVault implementation, turning it on for a given user account, and options for managing, automating, and controlling the use of FileVault in your organization. Later, we looked at dealing with some of the day-to-day issues in dealing with FileVault-protected home directories, and methods for recovering from a lost FileVault password.

Moving FileVault Accounts

One thing not covered in the earlier articles is how you might move a FileVault-protected account and home directory from one machine to another. If you are giving a user a new machine, you may need to move his or her existing account and home directory to the new machine. For reasons best known to Apple, the Migration Assistant is of little help in this task - it refuses to migrate a FileVault user unless there are no other users on the target machine. If you have a machine built from a standard image, you may have one or more prebuilt user accounts, like a local administrative account, on the new machine and so the Migration Assistant refuses to move the FileVault-protected user account.

The advice given by the Migration Assistant is to turn off FileVault, move the account, and turn it back on. While this might work, it is problematic for several reasons:

You'll need the user's password, or at least their cooperation, to turn FileVault off. This requires more coordination between you and the user.

You'll need enough available space on the startup disk to make a duplicate of the contents of the user's FileVault-protected home folder. That space may not be available.

Decrypting and re-encrypting the FileVault-protected home directory can take a long time.

If you are using MCX to enforce FileVault, turning it off (and back on) can present a challenge, as the GUI options are disabled.

So it would be better if we could just move the FileVault-protected account as-is. Fortunately, it can be done, and really isn't that difficult - at least if you aren't afraid of the command line.

Basic Concepts

The basic ideas behind moving the FileVault account are simple:

Recreate the account information on the new machine.

Move the FileVault sparseimage or sparsebundle to the new machine.

Edit the account information to point to the FileVault disk image.

Of course, the devil is in the details. So let's get started!

Recreating the account

If you are using mobile accounts, recreating the account is easy. Just create a new mobile account for the user - either graphically, or via the command line. In Tiger, the relevant command-line tool is MCXCacher, located in

/System/Library/CoreServices/mcxd.app/Contents/Resources/

You call it like so:

cd /System/Library/CoreServices/mcxd.app/Contents/Resources
./MCXCacher -U usershortname

which should create a new mobile account for the network user.

For Leopard, the relevant tool is called createmobileaccount. It is located in /System/Library/CoreServices/ManagedClient.app/Contents/Resources.

It's called like this:

cd /System/Library/CoreServices/ManagedClient.app
cd Contents/Resources
./createmobileaccount -n usershortname

If you aren't using mobile accounts, you can manually recreate the account using the Accounts preferences pane, or the dscl command-line utility, but be sure the shortname, uid, and GeneratedUID of the recreated account match the original. The dscl utility can be of great help here, allowing you to read the appropriate values from the old account and write them to the new one:

oldmac:/ root# dscl . read /Users/localuser uid
dsAttrTypeNative:uid: 4389
newmac:/ root# dscl . create /Users/localuser uid 4389

Another challenge, if you are not using mobile accounts, is copying the stored password from the old account and machine to the new one, but this, too, can be done. The passwords are stored in /private/var/db/shadow/hash. For local accounts, the shadow files are named after the GeneratedUID of the user account:

root# dscl . read /Users/localuser GeneratedUID
GeneratedUID: 1DECD42B-52EB-4B89-B2B2-359F0623EB1F

So for "localuser" above, the password is stored in /private/var/db/shadow/hash/1DECD42B-52EB-4B89-B2B2-359F0623EB1F. To copy the password hash from the old machine to the new one, you'd just copy that file.

Move the FileVault disk image

The next step is easier. All you need to do is copy the FileVault disk image from the old machine to the new one. But first, let's do some prep work. If you recreated the account on the new machine, you may have a folder in /Users that is partially populated. We don't really need the contents of this folder, as we're going to replace it with the FileVault disk image. If your new machine is running Tiger, or you've recreated a purely local user, just remove all the contents:

newmac:/ root# rm -rf /Users/localuser/*

If your new machine is running Leopard, and you have recreated a mobile account, you should keep the .account directory inside the user's home folder. This stores cached account info and is used by the new External Accounts in Leopard.

newmachine:/ root# ls /Users/mobileuser
.CFUserTextEncoding   Movies
.account                     Music
Desktop                     Pictures
Documents                  Public
Downloads                  Sites
Library

You can remove everything else in the user's folder; just leave .account.

Let's look at the old machine for a second. You might see two relevant directories in /Users:

.localuser/
localuser/

If you look inside .localuser/, you'll see the sparseimage/sparsebundle. If you look in localuser/, you'll see an .autodiskmounted file. This happens when the FileVault disk image is not unmounted cleanly. The important bit is that you want to find and copy the sparseimage/sparsebundle, even if it's in a different directory than you were expecting.

One strategy to copy the FileVault disk image is to startup the old machine in FireWire target disk mode, connect it to the new machine, and use sudo cp or ditto to copy the sparseimage/sparsebundle. If you do this, it's probably a good idea to uncheck the "Ignore ownership" box in the Get Info window for the FireWire-connected volume. If you don't do this, you can manually reassign ownership of the FileVault image after the copy.

cp -pvr /Volumes/oldmac/Users/myuser/myuser.sparsebundle \ /Users/myuser/myuser.sparsebundle
chown -R myuser /Users/myuser/myuser.sparsebundle

If you cannot abide the command line, it is possible to do this completely from the Finder, but you'll need to first change the permissions and/or ownership of the various directories so you can read and write. Be sure to change ownership and permissions back when you are done copying.

When you are done copying, you should have a username.sparsebundle or username.sparseimage in /Users/username on the new machine. /Users/username and /Users/username/username.sparsebundle should be owned by username, and the owner should have read, write and execute permissions:

chown -R username /Users/username
chmod -R u+rwX  /Users/username

Editing the new account

We're almost there! We've recreated the account, and we've copied the FileVault disk image. But the recreated account has the wrong value for the HomeDirectory attribute. We need to fix that. While previous steps could be done without using the command line, I'm afraid that for this task you have no choice but to fire up the terminal.

newmac:/ root# dscl . read /Users/myuser HomeDirectory   
No such key: HomeDirectory

For a "normal" non-FileVault encrypted home directory, this attribute does not exist (the NFSHomeDirectory attribute does exist, but that's a different thing...) We need to create this attribute and point it to the FileVault disk image.

dscl . create /Users/myuser HomeDirectory '<home_dir><url>file://localhost/Users/myuser/myuser.sparsebundle</url></home_dir>'

The above command should be all one line. Substitute the correct username for "myuser" and in "myuser.sparsebundle". If the encrypted home directory is in the older FileVault format, substitute "sparseimage" for "sparsebundle".

If you did everything right, the user should now be able to log in on their new machine with their username and password and access their FileVault-encyrpted home directory. And maybe you've learned some things about FileVault, mobile accounts and the Directory Service along the way.

Wrapping up

To review:

We recreated the user account on the new machine, using MCXCacher or createmobileaccount if the account was a mobile account; or manually if it was a local account, ensuring the shortname, uid, and GeneratedUIDs matched.

For local accounts, we copied the shadow password file. (Recreating a mobile account generates this for us automatically)

We copied the FileVault disk image from the old machine to the new one.

We edited the local accounts' HomeDirectory attribute to point to the FileVault disk image.

That was a lot of work - but should have been faster than turning FileVault off, moving the account and data, and then turning it back on. Additionally, the user's password was not needed to move the account and data. Once you get this technique down, you might consider writing a script to do most of it for you, which is, of course, what I've done. Better would be to help persuade Apple to update the Migration Assistant to do this: if we can do it, so could the Migration Assistant!


Greg Neagle is a member of the steering committee of the Mac OS X Enterprise Project (macenterprise.org) and is a senior systems engineer at a large animation studio. Greg has been working with the Mac since 1984, and with OS X since its release. He can be reached at gregneagle@mac.com.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Sketch 44.1 - Design app for UX/UI for i...
Sketch is an innovative and fresh look at vector drawing. Its intentionally minimalist design is based upon a drawing space of unlimited size and layers, free of palettes, panels, menus, windows, and... Read more
BetterTouchTool 2.260 - Customize Multi-...
BetterTouchTool adds many new, fully customizable gestures to the Magic Mouse, Multi-Touch MacBook trackpad, and Magic Trackpad. These gestures are customizable: Magic Mouse: Pinch in / out (zoom... Read more
Chromium 59.0.3071.115 - Fast and stable...
Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all Internet users to experience the web. Version 59.0.3071.115: This update has no Flash plug... Read more
SyncTwoFolders 2.2.3 - Syncs two user-sp...
SyncTwoFolders simply synchronizes two folders. It supports synchronization across mounted network drives and it is a possibility to run a simulation showing in a log what will be done. Please visit... Read more
Myriad 4.1 - $79.00
Myriad is, simply put, one of the best audio batch processors. Totally redesigned, it looks beautiful and delivers incredible performance. Let Myriad do the heavy lifting while you get back to doing... Read more
Suitcase Fusion 7 18.2.4 - Font manageme...
Suitcase Fusion 7 is the creative professional's font manager. Every professional font manager should deliver the basics: spectacular previews, powerful search tools, and efficient font organization... Read more
SoftRAID 5.6.1 - High-quality RAID manag...
SoftRAID allows you to create and manage disk arrays to increase performance and reliability. SoftRAID allows the user to create and manage RAID 4 and 5 volumes, RAID 1+0, and RAID 1 (Mirror) and... Read more
BetterTouchTool 2.25 - Customize Multi-T...
BetterTouchTool adds many new, fully customizable gestures to the Magic Mouse, Multi-Touch MacBook trackpad, and Magic Trackpad. These gestures are customizable: Magic Mouse: Pinch in / out (zoom... Read more
Google Chrome 59.0.3071.115 - Modern and...
Google Chrome is a Web browser by Google, created to be a modern platform for Web pages and applications. It utilizes very fast loading of Web pages and has a V8 engine, which is a custom built... Read more
Google Chrome 59.0.3071.115 - Modern and...
Google Chrome is a Web browser by Google, created to be a modern platform for Web pages and applications. It utilizes very fast loading of Web pages and has a V8 engine, which is a custom built... Read more

Latest Forum Discussions

See All

Ravenscroft 275 Piano (Music)
Ravenscroft 275 Piano 1.0.0 Device: iOS Universal Category: Music Price: $35.99, Version: 1.0.0 (iTunes) Description: Experience the splendor of a Ravenscroft Grand with the most realistic sounding piano ever created for iOS. Launch... | Read more »
This War of Mine gets a new ending and m...
This War of Mine just got a big new update, featuring free DLC that adds a new ending to the game, among other exciting changes. The update is celebrating the game's two-year release anniversary. Apart from the new ending, which will be quite... | Read more »
Summon eight new heroes in Fire Emblem H...
Nintendo keeps coming at us with Fire Emblem Heroes updates, and it doesn't look like that trend is stopping anytime soon. The folks behind the game have just announced the new War of the Clerics Voting Gauntlet, expected to start next Tuesday. [... | Read more »
The best deals on the App Store this wee...
iOS publishers are pulling out all the stops this week -- there's a huge number of seriously great games at discounted prices this week. Let's not waste any time and get right down to business. [Read more] | Read more »
The House of da Vinci (Games)
The House of da Vinci 1.0.0 Device: iOS Universal Category: Games Price: $4.99, Version: 1.0.0 (iTunes) Description: Enter The House of Da Vinci, a new must-try 3D puzzle adventure game. Solve mechanical puzzles, discover hidden... | Read more »
Solve the disappearance of history’s gre...
Blue Brain Games invites you to indulge in an immersive hands-on 3D puzzle adventure in similar vein to The Room series, with its debut release The House of Da Vinci. Set during the historic period of the Italian Renaissance (when Leonardo himself... | Read more »
Age of Rivals (Games)
Age of Rivals 3.3 Device: iOS Universal Category: Games Price: $.99, Version: 3.3 (iTunes) Description: Deep civilization-building strategy in a fast-paced card game! | Read more »
Panthera Frontier (Games)
Panthera Frontier 1.0 Device: iOS Universal Category: Games Price: $4.99, Version: 1.0 (iTunes) Description: | Read more »
Angry Birds Evolution beginner's gu...
Angry Birds changes things up a fair bit in its latest iteration, Angry Birds Evolution. The familiar sling-shot physics mechanics are still there, but the game now features team-based gameplay, RPG elements, and a new top-down view. With all of... | Read more »
Sega Forever is for the retro game fans
Sega is launching a new retro games service titled Sega Forever, in a move that's sure to delight games enthusiasts with a bit of nostalgia. Sega's releasing five classic games for free. The titles include Sonic the Hedgehog, Phantasy Star II,... | Read more »

Price Scanner via MacPrices.net

Apple Releases iOS 11 Public Beta; How To Get...
The official release of Apple’s latest mobile operating system iOS 11 is vaguely slated for the fall, but as of June 26, ordinary users can download an iOS 11 public beta. To download the iOS 11... Read more
Extend Life of MacBook Pro Retina 2.0TB With...
MacSales.com/Other World Computing has announced availability of the new OWC 2.0TB Aura Pro Solid State Drive for mid-2012 to early 2013 Apple MacBook Pro with Retina display. One of the fastest... Read more
BBEdit SummerFest 2017 Discount Ends Friday,...
You can get 20% off BBEdit for a limited time in Bare Bones Software’s http://www.eastgate.com/Tinderbox/Specials/SummerFest.html?mc_cid=f2101ca260&mc_eid=[UNIQID]SummerFest 2017 sale and... Read more
Use Apple’s Education discount to save up to...
Purchase a new Mac using Apple’s Education discount, and take up to $300 off MSRP. All teachers, students, and staff of any educational institution qualify for the discount. Shipping is free: - 15″ 2... Read more
Clearance 27-inch 3.3GHz 5K iMac available fo...
Amazon clearance 27″ 3.3GHz 5K iMacs (MK482LL/A) available for $1799.90 including free shipping. Their price is $500 off original MSRP, and it’s the lowest price available for this model from any... Read more
13-inch 1.8GHz/256GB MacBook Air on sale for...
B&H Photo has the updated 2017 13″ 1.8GHz/256GB MacBook Air (MQD42LL/A) in stock and on sale for $1129 including free shipping plus NY & NJ tax only. Their price is $70 off MSRP. Read more
27-inch 3.4GHz iMac on sale for $1699, save $...
B&H Photo has the new 2017 27″ 3.4GHz iMac (MNE92LL/A) in stock and on sale for $1699 including free shipping plus NY & NJ sales tax only. Their price is $100 off MSRP. Read more
21-inch 2.3GHz iMac on sale for $1049, save $...
B&H Photo has the new 2017 21″ 2.3GHz iMac (MMQA2LL/A) in stock and on sale for $1049 including free shipping plus NY & NJ tax only. Their price is $50 off MSRP. Read more
ABBYY TextGrabber 6 for iOS Implements Instan...
ABBYY has announced the release of TextGrabber 6.0.0, an important feature update to the company’s productivity app developed for iOS and Android devices. TextGrabber 6.0 now offers Real-Time... Read more
vPhone, First Smartphone That Can’t Be Lost,...
Austin, Texas based Hypori has introduced the vPhone, a virtual smartphone that affords every business user the benefits of separate work and personal phones, conveniently delivered on a single... Read more

Jobs Board

*Apple* News Product Marketing Mgr., Publish...
…organizational consensus on strategy and vision for publisher tools, authoring, and Apple News Format.Carries this strategy and vision across the organization to Read more
*Apple* Retail - Multiple Positions - Apple,...
Job Description: Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
Security Data Analyst - *Apple* Information...
…data sources need to be collected to allow Information Security to better protect Apple employees and customers from a wide range of threats.Act as the subject matter Read more
Lead *Apple* Solutions Consultant - Apple I...
…integrity, and trust.Success Metrics/Key Performance Indicators:Quantitative* Year over Year growth in Apple Product and Beyond the Box sales in the assigned Point of Read more
*Apple* Solutions Consultant till v%u00E5r...
…ethics, integrity, and trust.Success Metrics/Key Performance Indicators:QuantitativeYear over Year growth in Apple Product and Beyond the Box sales in the assigned Point Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.