Mac OS X: FileVault 2在美洲狮10.8上的扩展

最新发布的美洲狮10.8系统提供了一个FileVault 2功能的改进，管理工具fdesetup。在狮子版本中最新推出的FileVault 2时，它的功能虽然可以完全胜任个人用户对磁盘加密的需求，但是缺少工具用于企业环境中的管理，也就是对于多用户的支持／状态监控／恢复等手段。随着美洲狮的推出，这一弱点也开始被克服了。

这个管理命令fdesetup提供了如下的功能：

• 打开或关闭FileVault
• 支持独立的恢复键，或者是统一恢复键，或者两者同时使用
• 在打开FileVault的电脑上添加／移除多个可登陆用户
• 得到FileVault电脑上的可登陆用户列表
• 提供FileVault的加密解密状态

这个命令是一个命令行命令，这样可以为管理员提供灵活的管理方式，无论是远程还是监控，也为FileVault在企业中的应用和管理带来了方便，为系统管理员提高工作效率提供了有效手段，相信，随着管理员们对它的亲近感的提升，也会使更多的企业用户开始接受它。

下面就具体看看它能做什么怎么做

注意因为它对系统的修改，在使用该命令的时候，需要系统管理员权限。

• . 使用命令行打开FileVault功能，最简单的形式，只需下面的命令：

sudo fdesetup enable

跟着输入FileVault启动时的用户名和密码，如果成功完成，它会给出FileVault恢复键值，系统管理员需要自己妥善保管这个值。

Enter the primary user name: tonyliu
Enter the password for the user 'tonyliu':
==== EFILoginCopyUserGraphics ===
Recover key = 'MMN6-PO7N-RKMG-5MOT-YVT2-8BN3
Please reboot to complete the process.

• . 通过下面的命令，可以在打开FileVault的同时，添加多个用户：
  sudo fdesetup enable -user username -usertoadd another_username -usertoadd onemore_username随后它会逐个提示管理员，输入每个用户的密码，最后也是给出一个恢复键。这样就可以添加多个用户了。

• . 对于想更加自动化地添加用户的管理员来说，该命令支持使用特定Plist格式的文件来实现，这个Plist文件的文本格式如下：

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>username</string>
<key>Password</key>
<string>password</string>
<key>AdditionalUsers</key>
<array>
  <dict>
    <key>Username</key>
    <string>username</string>
    <key>Password</key>
    <string>password</string>
  </dict>
  <dict>
    <key>Username</key>
    <string>username</string>
    <key>Password</key>
    <string>password</string>
  </dict>
</array>
</dict>
</plist>

其中密码都是明码，这个也可能算一个缺点吧。在Property List Editor中更直观地看，如下图：

要想在命令行中使用该Plist文件，使用命令如下：

sudo fdesetup enable -inputplist < /path/to/FilVault.plist

这样它不会再询问用户密码，而直接给出恢复键后退出。

• . 关闭FileVault也是很简单：
  sudo fdesetup disable

• . 打开FileVault之后，添加用户：
  sudo fdesetup add -usertoadd admin

• 当然它叶支持使用plist文件来添加用户：
  sudo fdesetup add -inputplist < /path/to/filename.plist其中的plist文件格式和上面的相同，而主要用户名被忽略，该用户的密码可以使该用户的密码，也可以使恢复键的值。

• 使用下面命令可以列出用户列表:
  sudo fdesetup list

• 使用下面命令删除一个用户：
  sudo fdesetup remove -user username或者是，如果你知道该用户的UUID，也可以：
  sudo fdesetup remove -uuid UUID_here

• 使用下面命令可以查看当前的FileVault的状态：
  sudo fdesetup status有可能的状态是:

• 打开状态(FileVault is On.)
• 正在打开中(Encryption in process: Percent of complete=45)
• 关闭状态(FileVault is Off.)
• 重启后打开(FileVault is Off, but need a restart to be enabled.)
• 重启后关闭(FileVault is Off, but need a restart to finish.)
• 解密状态(Decryption in process: Percent of complete=45).

相比较Google的椰菜花叶的开原项目（我的以前的blog：Mac: 椰菜花叶和FileVault2），这次Apple提供的工具功能更加完善，不过对于处理恢复键方面，Google的方案思路应该值得借鉴。目前来说，Google的该项目还没有进一步的更新，不知道Google的团队能否在此基础上提供更多的功能。

不知道这个命令在狮子的第5个版本10.7.5中会不会有所支持，对于使用狮子系统的来说，使用椰菜花叶的方法还是一个不错的选择。

Ref:Using fdesetup with Mountain Lion’s FileVault 2

Update:

Tracking history:

----------------------------------------

==================================

Testing:

FileVault Primier user: fv

COMMAND: sudo fdesetup enable -user fv -usertoadd test -outputplist > /Volumes/OSX8_ESD/myKeyInfo.plist

------------------------------------------------------------

$ fdesetup list

Error: This tool requires root access to run.

------------------------------------------------------------

$ sudo fdesetup status

Encryption in progress: Percent completed = 16.50

------------------------------------------------------------

$ sudo fdesetup add -usertoadd myadmin

Error: FileVault is either Off or is Busy.

------------------------------------------------------------

$ sudo fdesetup status

FileVault is On.

------------------------------------------------------------

$ sudo fdesetup add -usertoadd myadmin

Enter the primary user name:fv

Enter the password for the user 'fv':

Enter the password for the added user 'myadmin':

------------------------------------------------------------

$ sudo fdesetup list

fv,76A3E840-4370-4173-B2BC-1139122BB364

myAdmin,93C8F83A-2C64-4504-9A16-C0E45DFCAEEF

------------------------------------------------------------

#

# Wrong primary user and test user's password.

# it's added!!!

#

$ sudo fdesetup add -usertoadd test

Enter the primary user name:fvv

Enter the password for the user 'fvv':

Enter the password for the added user 'test':

$ sudo fdesetup list

fv,76A3E840-4370-4173-B2BC-1139122BB364

myAdmin,93C8F83A-2C64-4504-9A16-C0E45DFCAEEF

test,39079B44-22D9-4AA0-BEA2-35FBB5C7C7E4

#

# Test account is listed on login screen.

# test can login with the right password no the wrong one.

#

------------------------------------------------------------

$ sudo fdesetup remove -user test -verbose

fdesetup: user = test

User 'test' = user uuid = '39079B44-22D9-4AA0-BEA2-35FBB5C7C7E4'.

------------------------------------------------------------

#

# Testing for entering not exist primary user account to add, got error.

#

$ sudo fdesetup add -usertoadd test

Enter the primary user name:a

Enter the password for the user 'a':

Enter the password for the added user 'test':

Error: Unable to add user 'test' to existing FileVault

Error: Unable to add one or more users to FileVault.

------------------------------------------------------------

#

# Testing for entering not primary user account to add, and wrong test account password, no error. but not added.

#

$ sudo fdesetup add -usertoadd test

Enter the primary user name:admin

Enter the password for the user 'admin':

Enter the password for the added user 'test':

$ sudo fdesetup list

fv,76A3E840-4370-4173-B2BC-1139122BB364

myAdmin,93C8F83A-2C64-4504-9A16-C0E45DFCAEEF

# ###################################

#

# Test: entering, admin (not primary user) and right test account password,

#

$ sudo fdesetup list

fv,76A3E840-4370-4173-B2BC-1139122BB364

myAdmin,93C8F83A-2C64-4504-9A16-C0E45DFCAEEF

test,39079B44-22D9-4AA0-BEA2-35FBB5C7C7E4

#

# Any user who has admin privilege and is added in the FV2 login, can add any other user to login to FV2 machine.

#

------------------------------------------------------------

# UUID is the user's account GeneratedUID

$ dscl . read /Users/test GeneratedUID

GeneratedUID: 39079B44-22D9-4AA0-BEA2-35FBB5C7C7E4

------------------------------------------------------------

# Questions: AD/OD integrated users, how to migrate to FV2 system. how they change password, change password on another machine then how to sync the changes?

------------------------------------------------------------

# ###################################

# Primary user changing password.

# In another admin user from Users & Groups of System Preferences

# fv's password -> fv

# login : Update keychain password -> works!

# Add/Remove other FV2 accounts, with the new password, works!

# In his own account from Users & Groups of System Preferences

# not tested, but should be Ok.

# login :

# Add/Remove other FV2 accounts

#

# Other FV2 user changing password.

# not test, but should work

------------------------------------------------------------

#

# Disable the FV2,

# enter primary user account password

$ sudo fdesetup disable

Enter the password or recovery key:

FileVault has been disabled.

$ sudo fdesetup status

Decryption in progress: Percent completed = 0.18

------------------------------------------------------------

***************************************************

MAN FDESETUP:

NAME

fdesetup -- FileVault enabling tool

SYNOPSIS

fdesetup verb [options]

DESCRIPTION

fdesetup is used to enable or disable FileVault, to list enabled FileVault users, or to add additional users

after FileVault has already been enabled. When enabling FileVault, the tool can return a recovery key. File-

Vault can also be set up with an institutional recovery key.

Data passed in via stdin should be a property list using the example format below. When enabling FileVault,

the top level Username and Password key values must be an existing user. When disabling and when adding addi-

tional users, the top level Username key is ignored, and the Password key value should either be an existing

FileVault user password or the recovery key. If a password is not in the dictionary, the tool will prompt for

it. Username parameters should be short names of existing users.

With the -keychain option, an institutional recovery key can be set up by placing an X.509 asymmetric public

certificate in the /Library/Keychains/FileVaultMaster.keychain file. security create-filevaultmaster-keychain

can be used to create the keychain. Alternatively a certificate can be passed in by using the -certificate

option and entering the path to the DER encoded certificate file. In this case the FileVaultMaster.keychain

file will be created using the certificate.

If you do not want a recovery key returned, use the -norecoverykey option. This should only be used when an

institutional recovery key has been configured.

The list command will display the short names and UUIDs of any enabled FileVault users. The remove command

will remove a user from FileVault.

The syncusers command synchronizes Open Directory attributes (e.g. user pictures) with FileVault users, and

removes FileVault users that were removed from Open Directory. It does not add users to FileVault.

VERBS

Each verb is listed with its description and individual arguments.

help

Shows abbreviated help

list [-verbose]

List enabled users.

enable [[[-user username ...] [-usertoadd added_username ...]] | [-inputplist]] [-outputplist] [-prompt]

[-forcerestart] [-keychain | [-certificate path_to_cer_file]] [-defer file_path] [-norecoverykey]

[-verbose]

Enables FileVault.

disable [-verbose]

Disables FileVault.

status [-verbose]

Returns current status about FileVault.

sync

Synchronizes information from Open Directory to FileVault.

add -usertoadd added_username ... | -inputplist [-prompt] [-verbose]

Adds additional FileVault users.

remove -uuid user_uuid | -user username [-verbose]

Removes enabled user from FileVault.

isactive

Returns status 0 if FileVault is enabled.

version

Displays current tool version.

OPTIONS

-defer file_path

Defer enabling FileVault until the user password is obtained, and recovery key and system information

will be written to the file path.

-user user_shortname

Short user name.

-uuid user_uuid

User UUID in canonical form: 11111111-2222-3333-4444-555555555555.

-usertoadd added_user

Additional user(s) to be added to FileVault.

-inputplist

Acquire configuration information from stdin when enabling or adding users to FileVault.

-prompt

Always prompt for information.

-forcerestart

Force a restart after FileVault has been successfully configured.

-outputplist

Outputs the recovery key and additional system information to stdout.

-keychain

Use the institutional recovery key stored in /Library/Keychains/FileVaultMaster.keychain.

-certificate path_to_cer_file

Use the certificate data located at the path. Any existing /Library/Keychains/FileVaultMaster.key-

chain file will be moved away with the location logged in the system log.

-norecoverykey

Do not return a recovery key.

DEFERRED ENABLEMENT

The -defer option can be used with the enable command option to delay enabling FileVault until after the cur-

rent (or next) user logs out, thus avoiding the need to enter a password when the tool is run. The user will

be prompted at logout time for the password, at which point an attempt will be made to enable FileVault. If

the volume is not already a CoreStorage volume, the system may need to be restarted to start the encryption

process. Logout dialogs are automatically dismissed and canceled after 60 seconds if no interaction occurs

and the user will be prompted again at the next logout time.

The -defer option sets up a single user to be added to FileVault. If there was no user specified (e.g. with-

out the -user option), then the currently logged in user will be added to the configuration and becomes the

designated user. If there is no user specified and no users are logged in at the time of configuration, then

the next user that logs in will be used as the designated user.

As recovery key information is not generated until the user password is obtained, the -defer option requires

a path where this information will be written to. The property list file will be created as a root-only read-

able file and should be placed in a secure location.

Options that can be used in conjunction with the defer option include: -keychain, -certificate, -user, and

-norecoverykey.

Note that if the designated user doesn't complete the set-up at logout, FileVault will not be enabled, and

the configuration will remain and be used again for the designated user's next logout, thereby 'nagging' the

user to enable FileVault. To remove an active deferred enablement configuration, use the disable command.

EXAMPLES

fdesetup enable -user sally -usertoadd johnny -usertoadd henry -outputplist > /secureplace/mykeyinfo.plist

Enables FileVault, adds users sally, johnny and henry to the EFI login, and outputs the recovery key

and other information into the file. Note that the user sally here does not have more privileges

than the other added users.

fdesetup enable -keychain -norecoverykey

Enables FileVault using an institutional recovery key in the FileVaultMaster.keychain file. No per-

sonal recovery key will be created.

fdesetup enable -defer /MykeyAndInfo.plist

Enables FileVault when the current user logs out and successfully enters their password and then

writes the personal recovery key and other relevant information to the file.

fdesetup enable -certificate /mycertfile.cer

Enables FileVault with an institutional recovery key based off the certificate data in the DER

encoded file. A FileVaultMaster.keychain file will be created automatically.

fdesetup enable -inputplist < /someinfo.plist

Enables FileVault using information from the property list read in from stdin.

fdesetup status

Shows the current status of FileVault.

fdesetup list

Lists the current FileVault users.

fdesetup remove -uuid A6C75639-1D98-4F19-ACD5-1892BAE27991

Removes the user with the UUID from the FileVault users list.

fdesetup isactive

Returns with exit status zero if FileVault is enabled and active.

fdesetup add -usertoadd betty

Adds the user betty to the existing FileVault setup.

EXIT STATUS

The exit status of the tool is set to indicate whether any error was detected. The values returned are:

0 No error, or successful operation.

1 FileVault is Off.

2 FileVault appears to be On but Busy.

11 Authentication error.

12 Parameter error.

13 Unknown command error.

14 Bad command error.

15 Bad input error.

16 Legacy FileVault error.

17 Added users failed error.

18 Unexpected keychain found error.

19 Keychain error. This usually means the FileVaultMaster keychain could not be moved or

replaced.

20 Deferred configuration setup error.

21 Enable failed (Keychain) error.

22 Enable failed (CoreStorage) error.

23 Enable failed (DiskManager) error.

24 Already enabled error.

25 Unable to remove user.

99 Internal error.

***************************************************

sudo fdesetup version

fdesetup: Version 1.30

------------------------------------------------------------

sudo fdesetup status

FileVault is Off.

------------------------------------------------------------

sudo fdesetup help

Sets up FileVault for the current boot volume.

Usage: fdesetup <verb> <options>

Use the man page for expanded help.

Verbs:

help

enable Enable FileVault and optionally add user(s)

disable Disable FileVault

status Return current FileVault status

add Add user(s) to existing FileVault

remove Remove user from FileVault

sync Synchronize existing FileVault user information

version

Options:

-prompt Always prompt for recovery user information. Only works for the recovery user.

-defer <filepath> Defer enabling FileVault until after the user logs out, and writes key and computer information to the file.

-forcerestart Force a restart without confirmation immediately after successfully enabling FileVault

-inputplist Reads configuration info from stdin.

-outputplist Outputs key and computer info to stdout.

-user <username> short user name.

-uuid <uuid> User UUID.

-usertoadd <username> Additional user name when enabling or adding users.

-keychain Use the FileVaultMaster.keychain to add an institutional recovery key when enabling FileVault

-norecoverykey Do not return a recovery key when enabling FileVault

-certificate <certificate path> Path to a DER encoded certificate file to use during enabling

-verbose