- 浏览: 6198529 次
文章分类
最新评论
-
vb2005xu:
这样你跑一个1000试试,卡不死你
PHP实现斐波那契数列 -
ykbj117:
你们知道刘绍华么?就是北邮的一个教授,专门研究WebRTC的资 ...
WebRTC体系结构 -
huangbye:
其实这也没什么卵用!
thinkphp自定义标签,view直接标签连接数据 -
cofftech:
opencv源码:http://www.eyesourceco ...
opencv资料和文档 -
langke93:
wangzhengyi_nopass.key这个怎么生成没写
nginx搭建https服务器
Mac OS X: FileVault 2在美洲狮10.8上的扩展
最新发布的美洲狮10.8系统提供了一个FileVault 2功能的改进,管理工具fdesetup。在狮子版本中最新推出的FileVault 2时,它的功能虽然可以完全胜任个人用户对磁盘加密的需求,但是缺少工具用于企业环境中的管理,也就是对于多用户的支持/状态监控/恢复等手段。随着美洲狮的推出,这一弱点也开始被克服了。
这个管理命令fdesetup提供了如下的功能:
- 打开或关闭FileVault
- 支持独立的恢复键,或者是统一恢复键,或者两者同时使用
- 在打开FileVault的电脑上添加/移除多个可登陆用户
- 得到FileVault电脑上的可登陆用户列表
- 提供FileVault的加密解密状态
这个命令是一个命令行命令,这样可以为管理员提供灵活的管理方式,无论是远程还是监控,也为FileVault在企业中的应用和管理带来了方便,为系统管理员提高工作效率提供了有效手段,相信,随着管理员们对它的亲近感的提升,也会使更多的企业用户开始接受它。
下面就具体看看它能做什么怎么做
注意因为它对系统的修改,在使用该命令的时候,需要系统管理员权限。
- . 使用命令行打开FileVault功能,最简单的形式,只需下面的命令:
sudo fdesetup enable
跟着输入FileVault启动时的用户名和密码,如果成功完成,它会给出FileVault恢复键值,系统管理员需要自己妥善保管这个值。
Enter the primary user name: tonyliu Enter the password for the user 'tonyliu': ==== EFILoginCopyUserGraphics === Recover key = 'MMN6-PO7N-RKMG-5MOT-YVT2-8BN3 Please reboot to complete the process.
- . 通过下面的命令,可以在打开FileVault的同时,添加多个用户:
sudo fdesetup enable -user username -usertoadd another_username -usertoadd onemore_username随后它会逐个提示管理员,输入每个用户的密码,最后也是给出一个恢复键。这样就可以添加多个用户了。
- . 对于想更加自动化地添加用户的管理员来说,该命令支持使用特定Plist格式的文件来实现,这个Plist文件的文本格式如下:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Username</key> <string>username</string> <key>Password</key> <string>password</string> <key>AdditionalUsers</key> <array> <dict> <key>Username</key> <string>username</string> <key>Password</key> <string>password</string> </dict> <dict> <key>Username</key> <string>username</string> <key>Password</key> <string>password</string> </dict> </array> </dict> </plist>
其中密码都是明码,这个也可能算一个缺点吧。在Property List Editor中更直观地看,如下图:
要想在命令行中使用该Plist文件,使用命令如下:
sudo fdesetup enable -inputplist < /path/to/FilVault.plist
这样它不会再询问用户密码,而直接给出恢复键后退出。
-
. 关闭FileVault也是很简单:
sudo fdesetup disable
-
. 打开FileVault之后,添加用户:
sudo fdesetup add -usertoadd admin
-
当然它叶支持使用plist文件来添加用户:
sudo fdesetup add -inputplist < /path/to/filename.plist其中的plist文件格式和上面的相同,而主要用户名被忽略,该用户的密码可以使该用户的密码,也可以使恢复键的值。
- 使用下面命令可以列出用户列表:
sudo fdesetup list
- 使用下面命令删除一个用户:
sudo fdesetup remove -user username或者是,如果你知道该用户的UUID,也可以:
sudo fdesetup remove -uuid UUID_here
- 使用下面命令可以查看当前的FileVault的状态:
sudo fdesetup status有可能的状态是:
- 打开状态(FileVault is On.)
- 正在打开中(Encryption in process: Percent of complete=45)
- 关闭状态(FileVault is Off.)
- 重启后打开(FileVault is Off, but need a restart to be enabled.)
- 重启后关闭(FileVault is Off, but need a restart to finish.)
- 解密状态(Decryption in process: Percent of complete=45).
相比较Google的椰菜花叶的开原项目(我的以前的blog:Mac: 椰菜花叶和FileVault2),这次Apple提供的工具功能更加完善,不过对于处理恢复键方面,Google的方案思路应该值得借鉴。目前来说,Google的该项目还没有进一步的更新,不知道Google的团队能否在此基础上提供更多的功能。
不知道这个命令在狮子的第5个版本10.7.5中会不会有所支持,对于使用狮子系统的来说,使用椰菜花叶的方法还是一个不错的选择。
Ref:Using fdesetup with Mountain Lion’s FileVault 2
Update:
Tracking history:
----------------------------------------
==================================
Testing:
FileVault Primier user: fv
COMMAND: sudo fdesetup enable -user fv -usertoadd test -outputplist > /Volumes/OSX8_ESD/myKeyInfo.plist
------------------------------------------------------------
$ fdesetup list
Error: This tool requires root access to run.
------------------------------------------------------------
$ sudo fdesetup status
Encryption in progress: Percent completed = 16.50
------------------------------------------------------------
$ sudo fdesetup add -usertoadd myadmin
Error: FileVault is either Off or is Busy.
------------------------------------------------------------
$ sudo fdesetup status
FileVault is On.
------------------------------------------------------------
$ sudo fdesetup add -usertoadd myadmin
Enter the primary user name:fv
Enter the password for the user 'fv':
Enter the password for the added user 'myadmin':
------------------------------------------------------------
$ sudo fdesetup list
fv,76A3E840-4370-4173-B2BC-1139122BB364
myAdmin,93C8F83A-2C64-4504-9A16-C0E45DFCAEEF
------------------------------------------------------------
#
# Wrong primary user and test user's password.
# it's added!!!
#
$ sudo fdesetup add -usertoadd test
Enter the primary user name:fvv
Enter the password for the user 'fvv':
Enter the password for the added user 'test':
$ sudo fdesetup list
fv,76A3E840-4370-4173-B2BC-1139122BB364
myAdmin,93C8F83A-2C64-4504-9A16-C0E45DFCAEEF
test,39079B44-22D9-4AA0-BEA2-35FBB5C7C7E4
#
# Test account is listed on login screen.
# test can login with the right password no the wrong one.
#
------------------------------------------------------------
$ sudo fdesetup remove -user test -verbose
fdesetup: user = test
User 'test' = user uuid = '39079B44-22D9-4AA0-BEA2-35FBB5C7C7E4'.
------------------------------------------------------------
#
# Testing for entering not exist primary user account to add, got error.
#
$ sudo fdesetup add -usertoadd test
Enter the primary user name:a
Enter the password for the user 'a':
Enter the password for the added user 'test':
Error: Unable to add user 'test' to existing FileVault
Error: Unable to add one or more users to FileVault.
------------------------------------------------------------
#
# Testing for entering not primary user account to add, and wrong test account password, no error. but not added.
#
$ sudo fdesetup add -usertoadd test
Enter the primary user name:admin
Enter the password for the user 'admin':
Enter the password for the added user 'test':
$ sudo fdesetup list
fv,76A3E840-4370-4173-B2BC-1139122BB364
myAdmin,93C8F83A-2C64-4504-9A16-C0E45DFCAEEF
# ###################################
#
# Test: entering, admin (not primary user) and right test account password,
#
$ sudo fdesetup list
fv,76A3E840-4370-4173-B2BC-1139122BB364
myAdmin,93C8F83A-2C64-4504-9A16-C0E45DFCAEEF
test,39079B44-22D9-4AA0-BEA2-35FBB5C7C7E4
#
# Any user who has admin privilege and is added in the FV2 login, can add any other user to login to FV2 machine.
#
------------------------------------------------------------
# UUID is the user's account GeneratedUID
$ dscl . read /Users/test GeneratedUID
GeneratedUID: 39079B44-22D9-4AA0-BEA2-35FBB5C7C7E4
------------------------------------------------------------
# Questions: AD/OD integrated users, how to migrate to FV2 system. how they change password, change password on another machine then how to sync the changes?
------------------------------------------------------------
# ###################################
# Primary user changing password.
# In another admin user from Users & Groups of System Preferences
# fv's password -> fv
# login : Update keychain password -> works!
# Add/Remove other FV2 accounts, with the new password, works!
# In his own account from Users & Groups of System Preferences
# not tested, but should be Ok.
# login :
# Add/Remove other FV2 accounts
#
# Other FV2 user changing password.
# not test, but should work
------------------------------------------------------------
#
# Disable the FV2,
# enter primary user account password
$ sudo fdesetup disable
Enter the password or recovery key:
FileVault has been disabled.
$ sudo fdesetup status
Decryption in progress: Percent completed = 0.18
------------------------------------------------------------
***************************************************
MAN FDESETUP:
NAME
fdesetup -- FileVault enabling tool
SYNOPSIS
fdesetup verb [options]
DESCRIPTION
fdesetup is used to enable or disable FileVault, to list enabled FileVault users, or to add additional users
after FileVault has already been enabled. When enabling FileVault, the tool can return a recovery key. File-
Vault can also be set up with an institutional recovery key.
Data passed in via stdin should be a property list using the example format below. When enabling FileVault,
the top level Username and Password key values must be an existing user. When disabling and when adding addi-
tional users, the top level Username key is ignored, and the Password key value should either be an existing
FileVault user password or the recovery key. If a password is not in the dictionary, the tool will prompt for
it. Username parameters should be short names of existing users.
With the -keychain option, an institutional recovery key can be set up by placing an X.509 asymmetric public
certificate in the /Library/Keychains/FileVaultMaster.keychain file. security create-filevaultmaster-keychain
can be used to create the keychain. Alternatively a certificate can be passed in by using the -certificate
option and entering the path to the DER encoded certificate file. In this case the FileVaultMaster.keychain
file will be created using the certificate.
If you do not want a recovery key returned, use the -norecoverykey option. This should only be used when an
institutional recovery key has been configured.
The list command will display the short names and UUIDs of any enabled FileVault users. The remove command
will remove a user from FileVault.
The syncusers command synchronizes Open Directory attributes (e.g. user pictures) with FileVault users, and
removes FileVault users that were removed from Open Directory. It does not add users to FileVault.
VERBS
Each verb is listed with its description and individual arguments.
help
Shows abbreviated help
list [-verbose]
List enabled users.
enable [[[-user username ...] [-usertoadd added_username ...]] | [-inputplist]] [-outputplist] [-prompt]
[-forcerestart] [-keychain | [-certificate path_to_cer_file]] [-defer file_path] [-norecoverykey]
[-verbose]
Enables FileVault.
disable [-verbose]
Disables FileVault.
status [-verbose]
Returns current status about FileVault.
sync
Synchronizes information from Open Directory to FileVault.
add -usertoadd added_username ... | -inputplist [-prompt] [-verbose]
Adds additional FileVault users.
remove -uuid user_uuid | -user username [-verbose]
Removes enabled user from FileVault.
isactive
Returns status 0 if FileVault is enabled.
version
Displays current tool version.
OPTIONS
-defer file_path
Defer enabling FileVault until the user password is obtained, and recovery key and system information
will be written to the file path.
-user user_shortname
Short user name.
-uuid user_uuid
User UUID in canonical form: 11111111-2222-3333-4444-555555555555.
-usertoadd added_user
Additional user(s) to be added to FileVault.
-inputplist
Acquire configuration information from stdin when enabling or adding users to FileVault.
-prompt
Always prompt for information.
-forcerestart
Force a restart after FileVault has been successfully configured.
-outputplist
Outputs the recovery key and additional system information to stdout.
-keychain
Use the institutional recovery key stored in /Library/Keychains/FileVaultMaster.keychain.
-certificate path_to_cer_file
Use the certificate data located at the path. Any existing /Library/Keychains/FileVaultMaster.key-
chain file will be moved away with the location logged in the system log.
-norecoverykey
Do not return a recovery key.
DEFERRED ENABLEMENT
The -defer option can be used with the enable command option to delay enabling FileVault until after the cur-
rent (or next) user logs out, thus avoiding the need to enter a password when the tool is run. The user will
be prompted at logout time for the password, at which point an attempt will be made to enable FileVault. If
the volume is not already a CoreStorage volume, the system may need to be restarted to start the encryption
process. Logout dialogs are automatically dismissed and canceled after 60 seconds if no interaction occurs
and the user will be prompted again at the next logout time.
The -defer option sets up a single user to be added to FileVault. If there was no user specified (e.g. with-
out the -user option), then the currently logged in user will be added to the configuration and becomes the
designated user. If there is no user specified and no users are logged in at the time of configuration, then
the next user that logs in will be used as the designated user.
As recovery key information is not generated until the user password is obtained, the -defer option requires
a path where this information will be written to. The property list file will be created as a root-only read-
able file and should be placed in a secure location.
Options that can be used in conjunction with the defer option include: -keychain, -certificate, -user, and
-norecoverykey.
Note that if the designated user doesn't complete the set-up at logout, FileVault will not be enabled, and
the configuration will remain and be used again for the designated user's next logout, thereby 'nagging' the
user to enable FileVault. To remove an active deferred enablement configuration, use the disable command.
EXAMPLES
fdesetup enable -user sally -usertoadd johnny -usertoadd henry -outputplist > /secureplace/mykeyinfo.plist
Enables FileVault, adds users sally, johnny and henry to the EFI login, and outputs the recovery key
and other information into the file. Note that the user sally here does not have more privileges
than the other added users.
fdesetup enable -keychain -norecoverykey
Enables FileVault using an institutional recovery key in the FileVaultMaster.keychain file. No per-
sonal recovery key will be created.
fdesetup enable -defer /MykeyAndInfo.plist
Enables FileVault when the current user logs out and successfully enters their password and then
writes the personal recovery key and other relevant information to the file.
fdesetup enable -certificate /mycertfile.cer
Enables FileVault with an institutional recovery key based off the certificate data in the DER
encoded file. A FileVaultMaster.keychain file will be created automatically.
fdesetup enable -inputplist < /someinfo.plist
Enables FileVault using information from the property list read in from stdin.
fdesetup status
Shows the current status of FileVault.
fdesetup list
Lists the current FileVault users.
fdesetup remove -uuid A6C75639-1D98-4F19-ACD5-1892BAE27991
Removes the user with the UUID from the FileVault users list.
fdesetup isactive
Returns with exit status zero if FileVault is enabled and active.
fdesetup add -usertoadd betty
Adds the user betty to the existing FileVault setup.
EXIT STATUS
The exit status of the tool is set to indicate whether any error was detected. The values returned are:
0 No error, or successful operation.
1 FileVault is Off.
2 FileVault appears to be On but Busy.
11 Authentication error.
12 Parameter error.
13 Unknown command error.
14 Bad command error.
15 Bad input error.
16 Legacy FileVault error.
17 Added users failed error.
18 Unexpected keychain found error.
19 Keychain error. This usually means the FileVaultMaster keychain could not be moved or
replaced.
20 Deferred configuration setup error.
21 Enable failed (Keychain) error.
22 Enable failed (CoreStorage) error.
23 Enable failed (DiskManager) error.
24 Already enabled error.
25 Unable to remove user.
99 Internal error.
***************************************************
sudo fdesetup version
fdesetup: Version 1.30
------------------------------------------------------------
sudo fdesetup status
FileVault is Off.
------------------------------------------------------------
sudo fdesetup help
Sets up FileVault for the current boot volume.
Usage: fdesetup <verb> <options>
Use the man page for expanded help.
Verbs:
help
enable Enable FileVault and optionally add user(s)
disable Disable FileVault
status Return current FileVault status
add Add user(s) to existing FileVault
remove Remove user from FileVault
sync Synchronize existing FileVault user information
version
Options:
-prompt Always prompt for recovery user information. Only works for the recovery user.
-defer <filepath> Defer enabling FileVault until after the user logs out, and writes key and computer information to the file.
-forcerestart Force a restart without confirmation immediately after successfully enabling FileVault
-inputplist Reads configuration info from stdin.
-outputplist Outputs key and computer info to stdout.
-user <username> short user name.
-uuid <uuid> User UUID.
-usertoadd <username> Additional user name when enabling or adding users.
-keychain Use the FileVaultMaster.keychain to add an institutional recovery key when enabling FileVault
-norecoverykey Do not return a recovery key when enabling FileVault
-certificate <certificate path> Path to a DER encoded certificate file to use during enabling
-verbose
相关推荐
FileVault启用您的OrgAdmin帐户FileVault甚至在macOS 10.13上也可以启用您的组织管理员帐户! 此脚本旨在作为Jamf Pro to FileVault中的策略的一部分,以在macOS设备上启用本地管理员帐户。 该脚本也与macOS 10.13上...
欢迎使用Apache Jackrabbit FileVault FileVault将JCR存储库引入了文件系统映射。 该映射由API公开,并由“ FileVault Content Packages”使用,后者允许创建存储库内容的可移植软件包。 Vault命令行界面(又称“ ...
MAC OS X Bible, Panther Edition <br>Samuel A. Litt et al. <br>Ready to unleash the power of Mac OS X, but you are still missing your manual? Revised, <br>updated and expanded the Mac OS X ...
概述**注意:花椰菜背心正在存档中2021年4月15日,花椰菜背心将被... 该项目最初从端到端Mac OS X FileVault 2支持开始,后来又增加了对BitLocker(Windows),LUKS(Linux),Duplicity和固件/ BIOS密码(Mac和Linux
*以二进制形式重新分发必须在分发随附的文档和/或其他材料中复制上述版权声明,此条件列表以及以下免责声明。 *未经事先特别书面许可,不得使用JAMF Software,LLC的名称或其贡献者的名称来认可或促销从该软件衍生...
Apple designed OS X with advanced technologies that work together to constantly keep your Mac safe. Some of these features are turned on by default, whereas others are turned off or aren't dialed up ...
2、FileVault分区解密:可对加密中断(如:加密中途终止,加密时中途断电,病毒破坏了数据等)造成的数据丢失的FileVault分区进行解密。 3、 备份分区表:备份所选磁盘的分区表。将完好的磁盘分区表备份,以便硬盘的...
Mac在安装FileVault重定向配置文件之前已加密。 原始恢复密钥由于某种原因而丢失(例如,数据库损坏或某种错误)。 解决方案您可以使用策略来生成新的FileVault密钥并上传到JSS。 配置配置文件可确保所有FileVault...
Mac OS X Lion的FileVault 2支持解锁和安装启动卷,但在用户登录之前不支持解锁任何其他卷。在加密我的主驱动器并重新启动后,我被锁定了用户帐户,不得不登录进入和退出另一个用户,只是以我自己的身份登录。 该...
#Utility 从 Mac 卸载托管软件中心 托管软件中心 (MSC) 是一个有用的工具,它允许中央 IT 支持单位为其管理的机器创建“应用程序商店”。 有时,MSC 用于应用可显着影响机器性能的设置和选项,例如 FileVault。 MSC ...
YoNTMA可在Mac上使用,并已在10.11、10.10、10.9和10.8上进行了测试。 ( ) 在另一个Github项目中, 。 怎么跑 打开.dmg文件,然后将应用程序拖到您的应用程序文件夹中。 启动程序,并出现一个状态栏图标。 如果...
LockPhix 为构建完整的加密套件提供了坚实的基础。 LockPhix 由三个工具组成:FileVault 是一种加密/解密工具,ScreenLock 是一种锁定 PC 的方法,PasswordSafe 是一种安全存储密码的工具。
用于生成在10.8-10.15上创建macOS用户帐户的软件包的工具新的2019年10月12日: 更新现有帐户以与启用FileVault的帐户更好地配合使用时,将进行更多更改。 现在将保留除ShadowHash之外的现有authentication_authority...
它的功能与在很大程度上是多余的,可以按照的步骤轻松地将其绑定到Intellij中的键盘快捷键。 强烈建议您停止使用IntelliValut,而改用repo。关于IntelliJ IDEA的插件,可通过Adobe Experience Manager附带的...
是用于安全存储机密信息(例如FileVault 2恢复密钥)的工具。 它由一个客户端应用程序和一个用于存储密钥的Django网络应用程序组成。 该Docker映像包含完全配置的Crypt Django Web应用程序。 默认的admin用户已被...
一个用于在旧版Mac上构建和引导OpenCore的python程序,有关是否您的模型,请参阅 。 支持的功能: 系统完整性保护,FileVault 2,.im4m安全启动和保管库 所有Mac上的本机OTA OS DELTA更新 恢复操作系统,安全模式和...
在的帮助下创建功能概述功能地位评论空投 :check_mark: 苹果音乐 :check_mark: 苹果电视+ :white_question_mark: Apple Watch解锁 :check_mark: 视频对话 :check_mark: 仅音频,无网络摄像头FileVault 2 :check_...
需要此工作流程来授权以编程方式创建的用户帐户(尚未明确授予SecureToken的用户帐户)以启用或使用FileVault并解锁APFS格式的启动卷上的磁盘加密。 学分 在 #filevault中发现并正式化了sysadminctl SecureToken...
此工具的不同之处在于,它在设计时既考虑了安全性又考虑了质量,使我们能够使用实际Mac上使用的许多安全工具,例如系统完整性保护(SIP)和FileVault。 在这里可以找到更深入的解释: 本指南将重点关注两个主题: ...