Crypt is a system for centrally storing FileVault 2 recovery keys. It is made up of a client app, and a Django web app for storing the keys. You will also need to download and install the webapp.
Changes in this version
- 10.7 is no longer supported.
- Improved logging on errors.
- Improved user feedback during long operations (such as enabling FileVault).
The client is written in Pyobjc, and makes use of the built in fdesetup on OS X 10.8 and higher. An example login hook is provided to see how this could be implemented in your organisation.
- If escrow fails for some reason, the recovery key is stored on disk and a Launch Daemon will attempt to escrow the key periodically.
- If the app cannot contact the server, it can optionally quit.
- If FileVault is already enabled, the app will quit.
sudo defaults write /Library/Preferences/FVServer ServerURL "http://yourserver.com"
To disable the network check (for example, in environments when the network isn't available until the user has authenticated):
sudo defaults write /Library/Preferences/FVServer NetworkCheck -bool NO
fdesetup, the binary Crypt uses to enable FileVault needs to be run as root. You will need to devise your own way of running this, whether it is via a LaunchDaemon or a LoginHook.
Thanks to Greg Neagle and the other contributors at Munki for having code that I could borrow.