Using diskutil to find secure token users on a Mac

Typically, to find out of if a user account on a Mac has a secure token, you run a command like

sysadminctl -secureTokenStatus username

Where username is the username of the account you’re checking for a secure token.

Several folks on the MacAdmins Slack have mentioned that the most accurate way to get the secure token users is to use diskutil

Example:


diskutil apfs listCryptoUsers /
Cryptographic users for disk1s5s1 (2 found)
|
+-- EBC6M064-0000-22FA-AX34-00307543DCAC
|   Type: Personal Recovery User
|
+-- EA93MFB0-AA30-123B-99E8-80B8C109F1E7
    Type: Local Open Directory User


dscl . -search /Users GeneratedUID EA93MFB0-AA30-123B-99E8-80B8C109F1E7
nameofauseraccount        GeneratedUID = (
    "EA93MFB0-AA30-123B-99E8-80B8C109F1E7"
)

Incidentally, even though people usually use listCryptoUsers, there are several other parameters that return the exact same result. From man diskutil:


listCryptoUsers | listUsers | listCryptoKeys | listKeys
[-plist] volumeDevice
Show all cryptographic users and special-purpose
(e.g. recovery) "users" (keys) that are currently
associated with the given APFS Volume, each by
their Cryptographic User UUID and usage "type".
The usual purpose of an APFS Cryptographic User is
to authenticate for unlocking its APFS Volume; any
of its users can do so.
An APFS Volume need not be encrypted in order to
contain crypto users; indeed, other than the Disk
User, they should be added before encrypting.
Types of Cryptographic Users include at-most-one-
per-Volume "Disk" user, whose UUID value always
matches its Volume's UUID; iCloud or personal
"Recovery Keys", which are not users per se, but
instead store partial crypto keys and are associ-
ated with corresponding "Recovery Users" and have
fixed-constant UUID values; and "Open Directory"
users, whose UUID values match corresponding local
macOS Open Directory account user GUIDs.
If -plist is specified, then a property list will
be emitted instead of the normal user-readable out-
put.

I’ve tested those manually, and they do indeed return the same results as listCryptoUsers does.

If you want a script that gets the crypto users and their respective usernames, I wrote one up on Python: ListCryptoUsers.py. I think others may have scripts written in bash or zsh, too. Edit: here’s one, for example.

1 comment

  1. You could also use:
    sudo fdesetup list -extended
    which will also show the Type and the username for the secure token.

Leave a comment

Your email address will not be published. Required fields are marked *