Tag Archive

Using diskutil to find secure token users on a Mac

Posted on August 25, 2021 by alanysiu

Typically, to find out of if a user account on a Mac has a secure token, you run a command like

sysadminctl -secureTokenStatus username

Where username is the username of the account you’re checking for a secure token.

Several folks on the MacAdmins Slack have mentioned that the most accurate way to get the secure token users is to use diskutil

Example:


diskutil apfs listCryptoUsers /
Cryptographic users for disk1s5s1 (2 found)
|
+-- EBC6M064-0000-22FA-AX34-00307543DCAC
|   Type: Personal Recovery User
|
+-- EA93MFB0-AA30-123B-99E8-80B8C109F1E7
    Type: Local Open Directory User


dscl . -search /Users GeneratedUID EA93MFB0-AA30-123B-99E8-80B8C109F1E7
nameofauseraccount        GeneratedUID = (
    "EA93MFB0-AA30-123B-99E8-80B8C109F1E7"
)

Incidentally, even though people usually use listCryptoUsers, there are several other parameters that return the exact same result. From man diskutil:


listCryptoUsers | listUsers | listCryptoKeys | listKeys
[-plist] volumeDevice
Show all cryptographic users and special-purpose
(e.g. recovery) "users" (keys) that are currently
associated with the given APFS Volume, each by
their Cryptographic User UUID and usage "type".
The usual purpose of an APFS Cryptographic User is
to authenticate for unlocking its APFS Volume; any
of its users can do so.
An APFS Volume need not be encrypted in order to
contain crypto users; indeed, other than the Disk
User, they should be added before encrypting.
Types of Cryptographic Users include at-most-one-
per-Volume "Disk" user, whose UUID value always
matches its Volume's UUID; iCloud or personal
"Recovery Keys", which are not users per se, but
instead store partial crypto keys and are associ-
ated with corresponding "Recovery Users" and have
fixed-constant UUID values; and "Open Directory"
users, whose UUID values match corresponding local
macOS Open Directory account user GUIDs.
If -plist is specified, then a property list will
be emitted instead of the normal user-readable out-
put.

I’ve tested those manually, and they do indeed return the same results as listCryptoUsers does.

If you want a script that gets the crypto users and their respective usernames, I wrote one up on Python: ListCryptoUsers.py. I think others may have scripts written in bash or zsh, too. Edit: here’s one, for example.

1

Command to add a secure token to a macOS user account

Posted on May 12, 2021 by alanysiu

If you run sysadminctl -secureTokenStatus firstuseraccount and see a secure token is enabled for that first account but run sysadminctl -secureTokenStatus seconduseraccount and see a secure token is not enabled for that second account, you can try adding a secure token to the second account, so it can turn on FileVault or become a FileVault-enabled account.

Try logging out of the second account and logging into the first account, and then running this command: sudo sysadminctl -secureTokenOn seconduseraccount -password - -adminUser firstuseraccount -adminPassword -

You should be prompted first for the password to the first account, and then for the password for the second account.

If it worked, then sysadminctl -secureTokenStatus seconduseraccount should show a secure token enabled for the second account.

If, on the other hand, you get an error message like Operation is not permitted without secure token unlock, you may have to wipe the Mac and reinstall macOS (I’d love to hear differently if folks have a working solution).

13