Skip to content

weswhet/crypt2

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

69 Commits
Crypt.xcodeproj
Crypt.xcodeproj
 
 
Crypt
Crypt
 
 
FDEAddUserService
FDEAddUserService
 
 
Package
Package
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Crypt 2

WARNING: As this has the potential for stopping users from logging in, extensive testing should take place before deploying into production.

Crypt 2 is an authorization plugin that will enforce FileVault 2, and then submit it to an instance of Crypt Server. Crypt 2 has been tested against 10.11 and 10.12 - it should in theory work down to 10.9, but test throughly to ensure it works as expected.

Features

  • Uses native authorization plugin so FileVault enforcement cannot be skipped.
  • Escrow is delayed until there is an active user, so FileVault can be enforced when the Mac is offline.
  • Administrators can specify a series of username that should not have to enable FileVault (IT admin, for example).

Configuration

Preferences can be set either in /Library/Preferences/com.grahamgilbert.crypt.plist or via MXC / Profiles.

ServerURL

The ServerURL preference sets your Crypt Server. Crypt will not enforce FileVault if this preference isn't set.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt ServerURL "https://crypt.example.com"

SkipUsers

The SkipUsers preference allows you to define an array of users that will not be forced to enable FileVault.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt SkipUsers -array-add adminuser

RemovePlist

By default, the plist with the FileVault Key will be removed once it has been escrowed. In a future version of Crypt, there will be the possibility of verifying the escrowed key with the client. In preparation for this feature, you can now choose to leave the key on disk.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt RemovePlist -bool FALSE

RotateUsedKey

Crypt2 can rotate the recovery key, if the key is used to unlock the disk. There is a small caveat that this feature only works if the key is still present on the disk. This is set to TRUE by default. NOTE: Future plan is to add this to the authorized plug-in so a key is not needed on disk.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt RotateUsedKey -bool FALSE

FDEAddUser

Crypt 2 can optionally add new users to be able to unlock FileVault 2 volumes (when the disk is unlocked). This feature works up until macOS 10.12. The default for this is FALSE.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt FDEAddUser -bool TRUE

Uninstalling

The install package will modify the Authorization DB - you need to remove these entries before removing the Crypt Authorization Plugin. A script that will do this can be found at Package/uninstall.

Building from source

You will need to configure Xcode to sign the bundle before building. Instructions for this are out of the scope of this readme, and are available on Apple's site.

Credits

Crypt 2 couldn't have been written without the help of Tom Burgin - he is responsible for all of the good code in this project. The bad bits are mine.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

 
 
 

Languages

  • Python 38.6%
  • Objective-C 34.3%
  • Swift 25.0%
  • Makefile 1.6%
  • Shell 0.5%