Code Monkey home page Code Monkey logo

filevault_escrow's Introduction

FileVault 2 Escrow module

Integration with the Crypt authentication plugin

The table provides the following information per client:

  • enableddate - The data FileVault was enabled
  • enableduser - Users added to the EFI login (authorized to unlock the drive)
  • lvguuid - (CoreStorage) Logical Volume Group UUID
  • lvuuid - (CoreStorage) Logical Volume UUID
  • pvuuid - (CoreStorage) Physical Volume UUID
  • recoverykey - The personal recovery key
  • Also added is hddserial - The serial number of the hard drive

Remarks

The workflow:

  1. Create a crypto key by calling vendor/bin/generate-defuse-key in the root of the munkireport directory. Add the resulting key to .env as ENCRYPTION_KEY=def00000505fe726...34;

  2. Install and configure Crypt make sure to prevent the removal of the plist:

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt RemovePlist -bool FALSE

The recovery key is encrypted before it enters the database and is decrypted after retrieval. Don't lose the encryption key or your recovery keys are lost forever!

You can specify the ServerURL in the crypt preferences to a special url that will respond in a way that the crypt client stops attempting to Escrow.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt ServerURL "http://munkireportURL/index.php?/module/filevault_escrow/index/"

The client will then checkin at munkireporturl/index.php?/module/filevault_escrow/index/checkin.

Dependencies

This module is dependent on the filevault_status model to provide the current status of FileVault and to list the user accounts who are authorized to unlock the drive

filevault_escrow's People

Contributors

bochoven avatar computeronix avatar gmarnin avatar tuxudo avatar wardsparadox avatar

Watchers

avatar avatar avatar avatar

Forkers

karamkky magervalp

filevault_escrow's Issues

Commit 114f610 causes the Crypt plugin to error when using the filevault_escrow module

Commit 114f610 causes the Crypt plugin to error when using the filevault_escrow module. The checkin function needs to be public in order to successfully return a 200 to Crypt as defined here: https://github.com/munkireport/filevault_escrow/blob/master/filevault_escrow_controller.php#L31-L35

Observed the following errors in /var/log/crypt.log on macOS 10.14.6, Crypt 3.3.0.178:

2019-09-18 03:58:54 PM - INFO: Stored recovery key is valid.
2019-09-18 03:58:54 PM - INFO: KeyEscrowInterval set to: 1 hour(s)...
2019-09-18 03:58:54 PM - INFO: Attempting to Escrow Key...
2019-09-18 03:58:54 PM - DEBUG: ServerURL Pref set to: https://www.company.com/index.php?/module/filevault_escrow/...
2019-09-18 03:58:54 PM - ERROR: Key escrow unsuccessful.

Workaround fix added to app/controllers/module.php:

// These methods don't require authentication
$unProtectedActions = ["get_script", "index", "checkin"];
// Require authentication for all methods
if( ! in_array($this->action, $unProtectedActions) && ! $this->module_obj->authorized())
{
  $this->requestForbidden('Module controller filter');
 }

When checkin was added to $unProtectedActions in app/controllers/module.php the Crypt plugin started logging normally:

2019-09-18 04:04:57 PM - INFO: Stored recovery key is valid.
2019-09-18 04:04:57 PM - INFO: KeyEscrowInterval set to: 1 hour(s)...
2019-09-18 04:04:57 PM - INFO: Attempting to Escrow Key...
2019-09-18 04:04:57 PM - DEBUG: ServerURL Pref set to: https://www.company.com/index.php?/module/filevault_escrow/...
2019-09-18 04:04:57 PM - INFO: Key escrow successful.

EDIT: update code blocks for readability

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.