top of page
louipanlebeemo

OS X 10.9 Mavericks Enhances fdesetup for FileVault Management



In OS X 10.9.x, you are able to use the institutional recovery key with the fdesetup command line tool for managing FileVault 2 encryption to perform various actions. Among its various functions, fdesetup provides the ability to encrypt using the alphanumeric personal recovery key, an institutional recovery key using /Library/Keychains/FileVaultMaster.keychain, or both kinds of recovery key at the same time.




OS X 10.9 Mavericks Makes fdesetup A Bit More Useful



As part of the man page for fdesetup in OS X 10.9.x, Apple provides a sample plist file as a guide for those who want to import authentication credentials as part of running commands with fdesetup. As part of the plist, there are two plist keys that reference using a keychain that contains the private key for an institutional recovery key:


Before OS X 10.9.x, you would need to decrypt an encrypted Mac before being able to change an existing institutional recovery key. In 10.9.x, fdesetup can be leveraged to assist in this situation in the following ways:


to check encryption status "fdesetup status" "fdesetup help" for more options, though functions that can be done through System Preferences (or with the sysadminctl command) should take precedence.


I'm having an issue which I assumed was normal, until a recent JNUG. All machines are running 10.9.5 and bound to AD using a Configuration Profile. Our user passwords expire every 90 days, forcing the user to change them accordingly. So far, every time this occurs, the FileVault pre-boot window doesn't function with the new password. My resolution has been to remove the user with fdesetup and then re-add using System Preferences.


We are seeing this issue also. Have 10.9 and 10.10 users with AD accounts, Mobile on the Macs, AD expires the password every 90 days. As we have more than 1 device (win box, mobile devices, etc), when the password changes elsewhere, the mac boots up and the old password gets into FV2, then the new password logs in. (expected). We are not finding how to resync the passwords as the rebooting still has the old password on FV2 and the new password on login.We have tried the apple solution with the touch command and no luck.sudo touch /System/Library/PrivateFrameworks/EFILogin.framework/Resources/EFIResourceBuilder.bundle/Contents/ResourcesAny more thoughts on this?


Users who use FileVault 2 in OS X 10.9 and above can validate their key correctly works after encryption by running sudo fdesetup validaterecovery in Terminal after encryption has finished. The key must be in form xxxx-xxxx-xxxx-xxxx-xxxx-xxxx and will return true if correct.[16] 2ff7e9595c


0 views0 comments

Recent Posts

See All

Commentaires


bottom of page