Mac OS X: FileVault 2在美洲狮10.8上的扩展
最新发布的美洲狮10.8系统提供了一个FileVault 2功能的改进,管理工具fdesetup。在狮子版本中最新推出的FileVault 2时,它的功能虽然可以完全胜任个人用户对磁盘加密的需求,但是缺少工具用于企业环境中的管理,也就是对于多用户的支持/状态监控/恢复等手段。随着美洲狮的推出,这一弱点也开始被克服了。
这个管理命令fdesetup提供了如下的功能:
- 打开或关闭FileVault
- 支持独立的恢复键,或者是统一恢复键,或者两者同时使用
- 在打开FileVault的电脑上添加/移除多个可登陆用户
- 得到FileVault电脑上的可登陆用户列表
- 提供FileVault的加密解密状态
这个命令是一个命令行命令,这样可以为管理员提供灵活的管理方式,无论是远程还是监控,也为FileVault在企业中的应用和管理带来了方便,为系统管理员提高工作效率提供了有效手段,相信,随着管理员们对它的亲近感的提升,也会使更多的企业用户开始接受它。
下面就具体看看它能做什么怎么做
注意因为它对系统的修改,在使用该命令的时候,需要系统管理员权限。
- . 使用命令行打开FileVault功能,最简单的形式,只需下面的命令:
sudo fdesetup enable
跟着输入FileVault启动时的用户名和密码,如果成功完成,它会给出FileVault恢复键值,系统管理员需要自己妥善保管这个值。
Enter the primary user name: tonyliu Enter the password for the user 'tonyliu': ==== EFILoginCopyUserGraphics === Recover key = 'MMN6-PO7N-RKMG-5MOT-YVT2-8BN3 Please reboot to complete the process.
- . 通过下面的命令,可以在打开FileVault的同时,添加多个用户:
sudo fdesetup enable -user username -usertoadd another_username -usertoadd onemore_username随后它会逐个提示管理员,输入每个用户的密码,最后也是给出一个恢复键。这样就可以添加多个用户了。
- . 对于想更加自动化地添加用户的管理员来说,该命令支持使用特定Plist格式的文件来实现,这个Plist文件的文本格式如下:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Username</key> <string>username</string> <key>Password</key> <string>password</string> <key>AdditionalUsers</key> <array> <dict> <key>Username</key> <string>username</string> <key>Password</key> <string>password</string> </dict> <dict> <key>Username</key> <string>username</string> <key>Password</key> <string>password</string> </dict> </array> </dict> </plist>
其中密码都是明码,这个也可能算一个缺点吧。在Property List Editor中更直观地看,如下图:
要想在命令行中使用该Plist文件,使用命令如下:
sudo fdesetup enable -inputplist < /path/to/FilVault.plist
这样它不会再询问用户密码,而直接给出恢复键后退出。
- . 关闭FileVault也是很简单:
sudo fdesetup disable
- . 打开FileVault之后,添加用户:
sudo fdesetup add -usertoadd admin
- 当然它叶支持使用plist文件来添加用户:
sudo fdesetup add -inputplist < /path/to/filename.plist其中的plist文件格式和上面的相同,而主要用户名被忽略,该用户的密码可以使该用户的密码,也可以使恢复键的值。
- 使用下面命令可以列出用户列表:
sudo fdesetup list
- 使用下面命令删除一个用户:
sudo fdesetup remove -user username或者是,如果你知道该用户的UUID,也可以:
sudo fdesetup remove -uuid UUID_here
- 使用下面命令可以查看当前的FileVault的状态:
sudo fdesetup status有可能的状态是:
- 打开状态(FileVault is On.)
- 正在打开中(Encryption in process: Percent of complete=45)
- 关闭状态(FileVault is Off.)
- 重启后打开(FileVault is Off, but need a restart to be enabled.)
- 重启后关闭(FileVault is Off, but need a restart to finish.)
- 解密状态(Decryption in process: Percent of complete=45).
相比较Google的椰菜花叶的开原项目(我的以前的blog:Mac: 椰菜花叶和FileVault2),这次Apple提供的工具功能更加完善,不过对于处理恢复键方面,Google的方案思路应该值得借鉴。目前来说,Google的该项目还没有进一步的更新,不知道Google的团队能否在此基础上提供更多的功能。
不知道这个命令在狮子的第5个版本10.7.5中会不会有所支持,对于使用狮子系统的来说,使用椰菜花叶的方法还是一个不错的选择。
Ref: Using fdesetup with Mountain Lion’s FileVault 2
Update:
Tracking history:
----------------------------------------
==================================
Testing:
FileVault Primier user: fv
COMMAND: sudo fdesetup enable -user fv -usertoadd test -outputplist > /Volumes/OSX8_ESD/myKeyInfo.plist
------------------------------------------------------------
$ fdesetup list
Error: This tool requires root access to run.
------------------------------------------------------------
$ sudo fdesetup status
Encryption in progress: Percent completed = 16.50
------------------------------------------------------------
$ sudo fdesetup add -usertoadd myadmin
Error: FileVault is either Off or is Busy.
------------------------------------------------------------
$ sudo fdesetup status
FileVault is On.
------------------------------------------------------------
$ sudo fdesetup add -usertoadd myadmin
Enter the primary user name:fv
Enter the password for the user 'fv':
Enter the password for the added user 'myadmin':
------------------------------------------------------------
$ sudo fdesetup list
fv,76A3E840-4370-4173-B2BC-1139122BB364
myAdmin,93C8F83A-2C64-4504-9A16-C0E45DFCAEEF
------------------------------------------------------------
#
# Wrong primary user and test user's password.
# it's added!!!
#
$ sudo fdesetup add -usertoadd test
Enter the primary user name:fvv
Enter the password for the user 'fvv':
Enter the password for the added user 'test':
$ sudo fdesetup list
fv,76A3E840-4370-4173-B2BC-1139122BB364
myAdmin,93C8F83A-2C64-4504-9A16-C0E45DFCAEEF
test,39079B44-22D9-4AA0-BEA2-35FBB5C7C7E4
#
# Test account is listed on login screen.
# test can login with the right password no the wrong one.
#
------------------------------------------------------------
$ sudo fdesetup remove -user test -verbose
fdesetup: user = test
User 'test' = user uuid = '39079B44-22D9-4AA0-BEA2-35FBB5C7C7E4'.
------------------------------------------------------------
#
# Testing for entering not exist primary user account to add, got error.
#
$ sudo fdesetup add -usertoadd test
Enter the primary user name:a
Enter the password for the user 'a':
Enter the password for the added user 'test':
Error: Unable to add user 'test' to existing FileVault
Error: Unable to add one or more users to FileVault.
------------------------------------------------------------
#
# Testing for entering not primary user account to add, and wrong test account password, no error. but not added.
#
$ sudo fdesetup add -usertoadd test
Enter the primary user name:admin
Enter the password for the user 'admin':
Enter the password for the added user 'test':
$ sudo fdesetup list
fv,76A3E840-4370-4173-B2BC-1139122BB364
myAdmin,93C8F83A-2C64-4504-9A16-C0E45DFCAEEF
# ###################################
#
# Test: entering, admin (not primary user) and right test account password,
#
$ sudo fdesetup list
fv,76A3E840-4370-4173-B2BC-1139122BB364
myAdmin,93C8F83A-2C64-4504-9A16-C0E45DFCAEEF
test,39079B44-22D9-4AA0-BEA2-35FBB5C7C7E4
#
# Any user who has admin privilege and is added in the FV2 login, can add any other user to login to FV2 machine.
#
------------------------------------------------------------
# UUID is the user's account GeneratedUID
$ dscl . read /Users/test GeneratedUID
GeneratedUID: 39079B44-22D9-4AA0-BEA2-35FBB5C7C7E4
------------------------------------------------------------
# Questions: AD/OD integrated users, how to migrate to FV2 system. how they change password, change password on another machine then how to sync the changes?
------------------------------------------------------------
# ###################################
# Primary user changing password.
# In another admin user from Users & Groups of System Preferences
# fv's password -> fv
# login : Update keychain password -> works!
# Add/Remove other FV2 accounts, with the new password, works!
# In his own account from Users & Groups of System Preferences
# not tested, but should be Ok.
# login :
# Add/Remove other FV2 accounts
#
# Other FV2 user changing password.
# not test, but should work
------------------------------------------------------------
#
# Disable the FV2,
# enter primary user account password
$ sudo fdesetup disable
Enter the password or recovery key:
FileVault has been disabled.
$ sudo fdesetup status
Decryption in progress: Percent completed = 0.18
------------------------------------------------------------
***************************************************
MAN FDESETUP:
NAME
fdesetup -- FileVault enabling tool
SYNOPSIS
fdesetup verb [options]
DESCRIPTION
fdesetup is used to enable or disable FileVault, to list enabled FileVault users, or to add additional users
after FileVault has already been enabled. When enabling FileVault, the tool can return a recovery key. File-
Vault can also be set up with an institutional recovery key.
Data passed in via stdin should be a property list using the example format below. When enabling FileVault,
the top level Username and Password key values must be an existing user. When disabling and when adding addi-
tional users, the top level Username key is ignored, and the Password key value should either be an existing
FileVault user password or the recovery key. If a password is not in the dictionary, the tool will prompt for
it. Username parameters should be short names of existing users.
With the -keychain option, an institutional recovery key can be set up by placing an X.509 asymmetric public
certificate in the /Library/Keychains/FileVaultMaster.keychain file. security create-filevaultmaster-keychain
can be used to create the keychain. Alternatively a certificate can be passed in by using the -certificate
option and entering the path to the DER encoded certificate file. In this case the FileVaultMaster.keychain
file will be created using the certificate.
If you do not want a recovery key returned, use the -norecoverykey option. This should only be used when an
institutional recovery key has been configured.
The list command will display the short names and UUIDs of any enabled FileVault users. The remove command
will remove a user from FileVault.
The syncusers command synchronizes Open Directory attributes (e.g. user pictures) with FileVault users, and
removes FileVault users that were removed from Open Directory. It does not add users to FileVault.
VERBS
Each verb is listed with its description and individual arguments.
help
Shows abbreviated help
list [-verbose]
List enabled users.
enable [[[-user username ...] [-usertoadd added_username ...]] | [-inputplist]] [-outputplist] [-prompt]
[-forcerestart] [-keychain | [-certificate path_to_cer_file]] [-defer file_path] [-norecoverykey]
[-verbose]
Enables FileVault.
disable [-verbose]
Disables FileVault.
status [-verbose]
Returns current status about FileVault.
sync
Synchronizes information from Open Directory to FileVault.
add -usertoadd added_username ... | -inputplist [-prompt] [-verbose]
Adds additional FileVault users.
remove -uuid user_uuid | -user username [-verbose]
Removes enabled user from FileVault.
isactive
Returns status 0 if FileVault is enabled.
version
Displays current tool version.
OPTIONS
-defer file_path
Defer enabling FileVault until the user password is obtained, and recovery key and system information
will be written to the file path.
-user user_shortname
Short user name.
-uuid user_uuid
User UUID in canonical form: 11111111-2222-3333-4444-555555555555.
-usertoadd added_user
Additional user(s) to be added to FileVault.
-inputplist
Acquire configuration information from stdin when enabling or adding users to FileVault.
-prompt
Always prompt for information.
-forcerestart
Force a restart after FileVault has been successfully configured.
-outputplist
Outputs the recovery key and additional system information to stdout.
-keychain
Use the institutional recovery key stored in /Library/Keychains/FileVaultMaster.keychain.
-certificate path_to_cer_file
Use the certificate data located at the path. Any existing /Library/Keychains/FileVaultMaster.key-
chain file will be moved away with the location logged in the system log.
-norecoverykey
Do not return a recovery key.
DEFERRED ENABLEMENT
The -defer option can be used with the enable command option to delay enabling FileVault until after the cur-
rent (or next) user logs out, thus avoiding the need to enter a password when the tool is run. The user will
be prompted at logout time for the password, at which point an attempt will be made to enable FileVault. If
the volume is not already a CoreStorage volume, the system may need to be restarted to start the encryption
process. Logout dialogs are automatically dismissed and canceled after 60 seconds if no interaction occurs
and the user will be prompted again at the next logout time.
The -defer option sets up a single user to be added to FileVault. If there was no user specified (e.g. with-
out the -user option), then the currently logged in user will be added to the configuration and becomes the
designated user. If there is no user specified and no users are logged in at the time of configuration, then
the next user that logs in will be used as the designated user.
As recovery key information is not generated until the user password is obtained, the -defer option requires
a path where this information will be written to. The property list file will be created as a root-only read-
able file and should be placed in a secure location.
Options that can be used in conjunction with the defer option include: -keychain, -certificate, -user, and
-norecoverykey.
Note that if the designated user doesn't complete the set-up at logout, FileVault will not be enabled, and
the configuration will remain and be used again for the designated user's next logout, thereby 'nagging' the
user to enable FileVault. To remove an active deferred enablement configuration, use the disable command.
EXAMPLES
fdesetup enable -user sally -usertoadd johnny -usertoadd henry -outputplist > /secureplace/mykeyinfo.plist
Enables FileVault, adds users sally, johnny and henry to the EFI login, and outputs the recovery key
and other information into the file. Note that the user sally here does not have more privileges
than the other added users.
fdesetup enable -keychain -norecoverykey
Enables FileVault using an institutional recovery key in the FileVaultMaster.keychain file. No per-
sonal recovery key will be created.
fdesetup enable -defer /MykeyAndInfo.plist
Enables FileVault when the current user logs out and successfully enters their password and then
writes the personal recovery key and other relevant information to the file.
fdesetup enable -certificate /mycertfile.cer
Enables FileVault with an institutional recovery key based off the certificate data in the DER
encoded file. A FileVaultMaster.keychain file will be created automatically.
fdesetup enable -inputplist < /someinfo.plist
Enables FileVault using information from the property list read in from stdin.
fdesetup status
Shows the current status of FileVault.
fdesetup list
Lists the current FileVault users.
fdesetup remove -uuid A6C75639-1D98-4F19-ACD5-1892BAE27991
Removes the user with the UUID from the FileVault users list.
fdesetup isactive
Returns with exit status zero if FileVault is enabled and active.
fdesetup add -usertoadd betty
Adds the user betty to the existing FileVault setup.
EXIT STATUS
The exit status of the tool is set to indicate whether any error was detected. The values returned are:
0 No error, or successful operation.
1 FileVault is Off.
2 FileVault appears to be On but Busy.
11 Authentication error.
12 Parameter error.
13 Unknown command error.
14 Bad command error.
15 Bad input error.
16 Legacy FileVault error.
17 Added users failed error.
18 Unexpected keychain found error.
19 Keychain error. This usually means the FileVaultMaster keychain could not be moved or
replaced.
20 Deferred configuration setup error.
21 Enable failed (Keychain) error.
22 Enable failed (CoreStorage) error.
23 Enable failed (DiskManager) error.
24 Already enabled error.
25 Unable to remove user.
99 Internal error.
***************************************************
sudo fdesetup version
fdesetup: Version 1.30
------------------------------------------------------------
sudo fdesetup status
FileVault is Off.
------------------------------------------------------------
sudo fdesetup help
Sets up FileVault for the current boot volume.
Usage: fdesetup <verb> <options>
Use the man page for expanded help.
Verbs:
help
enable Enable FileVault and optionally add user(s)
disable Disable FileVault
status Return current FileVault status
add Add user(s) to existing FileVault
remove Remove user from FileVault
sync Synchronize existing FileVault user information
version
Options:
-prompt Always prompt for recovery user information. Only works for the recovery user.
-defer <filepath> Defer enabling FileVault until after the user logs out, and writes key and computer information to the file.
-forcerestart Force a restart without confirmation immediately after successfully enabling FileVault
-inputplist Reads configuration info from stdin.
-outputplist Outputs key and computer info to stdout.
-user <username> short user name.
-uuid <uuid> User UUID.
-usertoadd <username> Additional user name when enabling or adding users.
-keychain Use the FileVaultMaster.keychain to add an institutional recovery key when enabling FileVault
-norecoverykey Do not return a recovery key when enabling FileVault
-certificate <certificate path> Path to a DER encoded certificate file to use during enabling
-verbose