Tag: filevault

  • Using diskutil to find secure token users on a Mac

    Typically, to find out of if a user account on a Mac has a secure token, you run a command like sysadminctl -secureTokenStatus username Where username is the username of the account you’re checking for a secure token. Several folks on the MacAdmins Slack have mentioned that the most accurate way to get the secure…

  • Command to add a secure token to a macOS user account

    If you run sysadminctl -secureTokenStatus firstuseraccount and see a secure token is enabled for that first account but run sysadminctl -secureTokenStatus seconduseraccount and see a secure token is not enabled for that second account, you can try adding a secure token to the second account, so it can turn on FileVault or become a FileVault-enabled…

  • Validate a FileVault recovery key using a .plist file

    If you want to validate your FileVault recovery key from the terminal, you can do sudo fdesetup validaterecovery and then be prompted for the recovery key. But what if you want to use a .plist to validate the recovery key instead of getting prompted for the key? This is where it’s a bit counterintuitive, at…

  • Basics of Crypt 2 and Crypt Server

    Graham Gilbert created a pretty cool project called Crypt 2, which forces client machines to enable FileVault2 encryption, and then sends the recovery key to a Crypt Server. So far the documentation on Crypt 2 is rather sparse, so this is what I was able to piece together based on the README, some asking around,…

  • Why you should use FileVault personal recovery keys instead of institutional recovery keys

    In my previous blog posts on FileVault, I talked about or showed how to use an institutional recovery key for FileVault encryption: Enabling FileVault Encryption for Client Macs Setting up deferred FileVault encryption Using a FileVault institutional recovery key to unlock an encrypted disk But in exploring FileVault further, I’ve found it’s much better to…

  • Using a FileVault institutional recovery key to unlock an encrypted disk

    You may have set up FileVault encryption using an institutional recovery key (more details in Enabling FileVault Encryption for Client Macs). It’s possible you have a local admin account on the FileVault-enabled machine, so if a user says “Oh, no! I forgot my password,” you can reset the password. But what if your user also…

  • Setting up deferred FileVault encryption

    In Enabling FileVault Encryption for Client Macs, I mentioned that deferred enablement is one option for mass-deploying encryption to clients, with the major downside that you can enable it for only one user and not multiple users at once. If you do want to go that route, though, this is the command (assuming you’re using…

  • Enabling FileVault Encryption for Client Macs

    Difficulties in automating FileVault FileVault encryption is unfortunately one of the things for Mac admins that is extremely difficult to automate. Crypt There’s a project called Crypt that involves a login hook that checks whether encryption is enabled or not and then prompts the user to enable encryption. Once that’s done, the individual recovery key…