Setting up deferred FileVault encryption

In Enabling FileVault Encryption for Client Macs, I mentioned that deferred enablement is one option for mass-deploying encryption to clients, with the major downside that you can enable it for only one user and not multiple users at once.

If you do want to go that route, though, this is the command (assuming you’re using an institutional recovery key) you would use:

sudo fdesetup enable -user USERNAME -defer /PATH/TO/recovery.plist -norecoverykey -keychain -forceatlogin 10

where USERNAME is the username of the user you want to defer enablement for (otherwise, it will just be the last user to log out) and /PATH/TO is where you want to put the deferred-enablement info—the info itself is not sensitive, but I’d probably plop in some place like /private/var/root, just so no one messes with it by accident.

This will also allow the user to put off enabling FileVault encryption ten times before she’s forced to enable it. You can adjust the -forceatlogin number to whatever you think makes sense for your organization.

Check the deferral status with

sudo fdesetup showdeferralinfo

If you haven’t yet run deferred enablement, the result will be

Not found.

(end period included). If you have run deferred enablement, you’ll get back an array of results from the .plist:

{
Defer = 1;
NoRecoveryKey = 1;
OutputPath = “/PATH/TO/recovery.plist”;
UseKeychain = 1;
Usernames = (
USERNAME
);
}

To check FileVault general status (not deferral status) run the command

fdesetup status

which will return

FileVault is Off.

(end period included) if FileVault is not yet enabled and

FileVault is On.
FileVault master keychain appears to be installed.

(end periods included) if it is enabled.

So if you have a script checking for whether to do a deferred enablement, you probably want to check that FileVault is Off and that deferral info is Not Found.

After FileVault encryption is enabled, the deferral information will still be there, but

fdesetup status

will show

FileVault is On.


Posted

in

by

Comments

One response to “Setting up deferred FileVault encryption”

  1. […] institutional recovery key for FileVault encryption: Enabling FileVault Encryption for Client Macs Setting up deferred FileVault encryption Using a FileVault institutional recovery key to unlock an encrypted […]

Leave a Reply

Your email address will not be published. Required fields are marked *