Crypt is a system for centrally storing FileVault 2 recovery keys. It is made up of a client app, and a Django web app for storing the keys.
This Docker image contains the fully configured Crypt Django web app. A default admin user has been preconfigured, use admin/password to login. If you intend on using the server for anything semi-serious it is a good idea to change the password or add a new admin user and delete the default one.
Changes in this version
- 10.7 is no longer supported.
- Improved logging on errors.
- Improved user feedback during long operations (such as enabling FileVault).
The client is written in Pyobjc, and makes use of the built in fdesetup on OS X 10.8 and higher. An example login hook is provided to see how this could be implemented in your organisation.
- If escrow fails for some reason, the recovery key is stored on disk and a Launch Daemon will attempt to escrow the key periodically.
- If the app cannot contact the server, it can optionally quit.
- If FileVault is already enabled, the app will quit.
SEND_EMAIL- Crypt Server can send email notifcations when secrets are requested and approved. Set
SEND_EMAILto True, and set
HOST_NAMEto your server's host and URL scheme (e.g.
https://crypt.example.com). For configuring your email settings, see the Django documentation.
APPROVE_OWN- By default, users with approval permissons can approve their own key requests. By setting this to False in settings.py (or by using the
DOCKER_CRYPT_APPROVE_OWNenvironment variable with Docker), users cannot approve their own requests.
ALL_APPROVE- By default, users need to be explicitly given approval permissions to approve key retrieval requests. By setting this to True in settings.py (or by using the
DOCKER_CRYPT_ALL_APPROVEenvironment variable with Docker), all users are given this permission when they log in.
ROTATE_VIEWED_SECRETS- With a compatible client (such as Crypt 3.2.0 and greater), Crypt Server can instruct the client to rotate the secret and re-escrow it when the secret has been viewed. Enable by setting this to
Trueor by using
DOCKER_CRYPT_ROTATE_VIEWED_SECRETSand setting to
New features in latest release
- Records Bonjour Name of Macs submitting keys
- Introduces the can_approve permission - users must have this permission to authorise key retrieval
- Key retrievals are logged
- Email user when their request is approved or denied
- Move 7 day allowance into settings.py so it can be changed