FileVault Key Escrow – Utilizing Active Directory or Open Directory

So I have been thinking about how to escrow the file vault recovery keys that are generated from cauliflower vest.  At first I thought I should just try and re-create the Google App Engine instance that is needed to work with all the tools but I quickly realized that I am not very good at coding and basically have no clue where to start.  So I started to think more about the parts I do understand and how I can leverage technologies I am more familiar with.

I then came up with a solution that I think may be more realistic for those who don’t feel like utilizing Googles App Engine.  Instead of storing the keys in the Google App Engine I thought why not store it with the computer record in AD or OD?  It seems to me that most admins lock down their directory servers pretty well such that you need to be on the internal network to get to them.  This helps a wee bit with the security but then you could take it another step further and encrypt the attribute (if your server supports that), or put some very specific ACL’s on the attribute that stores the key.  That way you need to have special rights to view it and a quick view of the LDAP record probably won’t set off any red flags.  Plus, each recovery key is unique so even if said hacker gets the key from the encrypted/unencrypted attribute he then needs to locate the computer that it belongs too.

I suppose all these things could happen but I think that if someone broke in and gained access to your Active Directory server the filevault recovery key isn’t going to be high on their list of things to steal.  I am sure security administrators would probably not be happy with my assertion but I try to be more realistic in what is the most probable outcome.  That said, if you are truly worried about physical disk security and need a real enterprise solution for disk encryption that can be centrally managed I probably wouldn’t be using FileVault and would suggest you try Symantec PGP or Sophos.  Now for my solution…

So, you have read the above and I haven’t managed to scare you off.  Here is what I have so far.


  • A Mac running Lion (10.7) and has a working recovery partition.
  • You have downloaded and compiled the Cauliflower Vest tool.  Specifically csfde and csfde is located in /usr/local/bin
  • Your Mac is bound to either Active Directory or Open Directory.  Hopefully this is a post process you do when your imaging your macs.

Assuming all this is valid here is the workflow I have come up with so far.

You have finished the above steps and now you need to encrypt the drive as the last part of your workflow.  Unfortunately, due to the way FileVault works, you can’t pre-provision a user account with access to the encrypted Mac nor can you authorize a group of users — PLEASE ADD THIS FEATURE APPLE.  The user must be resident on the system so that their credentials can be stored in the recovery partition.  So instead you deliver the Mac to the end user and have them log in so their AD/OD credentials, home directory, etc is created.  Now launch my script with sudo privs at the command line.

What does it do?

  1. The script validates that you are connected to AD or OD and have the appropriate computer record created.  If not it drops out.
  2. Then it creates a directory to hold the Recovery Key that will be generated by csfde.  This plist file will be stored in /usr/local/key/RecoveryKey.plist
  3. Next it will ask for the username and password of the user that will be using this computer.
  4. Then it requires a user with privileges to edit computer records in either the AD or OD domain.
  5. If then checks to see if the comment attribute/value is used.  If the attribute is it will ask if you want to overwrite the value.  If nothing exists or you agree to overwrite the data it will start the encryption process.
  6. Once the encryption process starts and it writes the key to AD/OD you will need to reboot to fully initiate background encryption.

Part 2 will be the script and possibly some screen caps.  I am currently cleaning up the commands and putting in as much logic as possible in case there are errors.  I hope to have it up here soon.

Leave a Reply

Your email address will not be published. Required fields are marked *