• Stars
    star
    159
  • Rank 230,490 (Top 5 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 8 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Crypt

WARNING: As this has the potential for stopping users from logging in, extensive testing should take place before deploying into production.

Crypt is an authorization plugin that will enforce FileVault 2, and then submit it to an instance of Crypt Server. Crypt supports macOS 11 and 12. For versions below 11.0, please use version 4.0.0. For versions below 10.12 please use version 2 and below.

Version 3.0.0 now supports 10.12 and above, previous macOS version support has been deprecated!

When using Crypt with macOS 10.15 and higher, you will also need to deploy a PPC TCC profile via user approved MDM to allow Crypt to enable FileVault. An example can be found here.

Features

  • Uses native authorization plugin so FileVault enforcement cannot be skipped.
  • Escrow is delayed until there is an active user, so FileVault can be enforced when the Mac is offline.
  • Administrators can specify a series of username that should not have to enable FileVault (IT admin, for example).

Configuration

Preferences can be set either in /Library/Preferences/com.grahamgilbert.crypt.plist or via MCX / Profiles. An example profile can be found here.

ServerURL

The ServerURL preference sets your Crypt Server. Crypt will not enforce FileVault if this preference isn't set.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt ServerURL "https://crypt.example.com"

SkipUsers

The SkipUsers preference allows you to define an array of users that will not be forced to enable FileVault.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt SkipUsers -array-add adminuser

RemovePlist

By default, the plist with the FileVault Key will be removed once it has been escrowed. In a future version of Crypt, there will be the possibility of verifying the escrowed key with the client. In preparation for this feature, you can now choose to leave the key on disk.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt RemovePlist -bool FALSE

RotateUsedKey

For macOS 10.14 and below, Crypt2 can rotate the recovery key, if the key is used to unlock the disk. There is a small caveat that this feature only works if the key is still present on the disk. This is set to TRUE by default.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt RotateUsedKey -bool FALSE

For macOS 10.15 and above, you may want to use the ROTATE_VIEWED_SECRETS key in Crypt Server if you want the client to get instructions to rotate the key.

ValidateKey

Crypt2 can validate the recovery key if it is stored on disk. If the key fails validation, the plist is removed so it can be regenerated on next login. This is set to TRUE by default.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt ValidateKey -bool FALSE

OutputPath

As of version 3.0.0 you can now define a new location for where the recovery key is written to. Default for this is '/var/root/crypt_output.plist'.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt OutputPath "/path/to/different/location"

KeyEscrowInterval

As of version 3.0.0 you can now define the time interval in Hours for how often Crypt tries to re-escrow the key, after the first successful escrow. Default for this is 1 hour.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt KeyEscrowInterval -int 2

AdditionalCurlOpts

The AdditionalCurlOpts preference allows you to define an array of additional curl options to add to the curl command run during checkin to escrow the key to Crypt Server.

$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt AdditionalCurlOpts -array-add "--tlsv1.3"

PostRunCommand

(Introduced in version 3.2.0) This is a command that is run after Crypt has detected an error condition with a stored key that cannot be resolved silently - either it has failed validation or the server has instructed the client to rotate the key. These cannot be resolved silently on APFS volumes, so the user will need to log in again. If you have a tool that can enforce a logout or a reboot, you can run it here. This preference can either be a string if your command has no spaces, or an array if there are spaces in the command.

Uninstalling

The install package will modify the Authorization DB - you need to remove these entries before removing the Crypt Authorization Plugin. A script that will do this can be found at Package/uninstall.

Building from source

You will need to configure Xcode 9.3 (requires 10.13.2 or later) to sign the bundle before building. Instructions for this are out of the scope of this readme, and are available on Apple's site.

Credits

Crypt 2 couldn't have been written without the help of Tom Burgin - he is responsible for all of the good code in this project. The bad bits are mine.

More Repositories

1

macscripts

A collection of random Mac scripts
Python
190
star
2

Crypt-Server

A Django webapp to escrow filevault keys sent by the Crypt client app.
Python
120
star
3

vagrant-puppetmaster

Vagrant config for a testing setup with a Puppet Master, Puppet Dashboard and PuppetDB
Puppet
82
star
4

first-boot-pkg

A script that will build a package containing packages for first installation at first boot
Python
63
star
5

terraform-aws-munki-repo

A Terraform module to set up a Munki repo
HCL
56
star
6

automate_psu_2014

Scripts and packages used in my talk Automate yourself out of a job
Python
40
star
7

macnamer

A Django web app and Mac script to update a Mac's name.
Python
30
star
8

grahamgilbert-mac_facts

A collection of custom Facter facts to aid with the management of OS X Machines
Ruby
30
star
9

puppet-mac_admin

A Puppet module to administer Mac OS X Machines
Puppet
25
star
10

Profile-Manager-Enrollment

Package to enroll Macs with a Profile Manager server
Shell
25
star
11

munki-dnd

A 'do not disturb' menubar app for Munki
Swift
23
star
12

crypt-server-saml

A Docker container for Crypt Server that uses SAML
Python
19
star
13

imagr_server

JavaScript
17
star
14

chrome_update_notifier

Python
17
star
15

mactech_2014

Code from my talk at MacTech 2014
Python
14
star
16

autopkg-overrides

13
star
17

setup_script

A script to get a mac set up for my use
Shell
10
star
18

macadmins-postgres

Shell
9
star
19

imagr_macsysadmin_2016

The code used during 0-Imagr-ing in 45 Minutes
Python
8
star
20

InstaDMG-Catalogs

7
star
21

puppet-dockutil

Ruby
6
star
22

docker-puppetserver

Shell
5
star
23

puppet_psu_2013

Demo files used in the Managing Macs with Puppet presentation at PSU 2013
Ruby
5
star
24

munki_conditions

Conditions for Munki
Python
5
star
25

Munki-Bootstrap

Package to run munki when the client next reboots
Shell
5
star
26

macaduk_2016

Code from Puppet On OS X at MacAD.UK 2016
Ruby
4
star
27

termux-setup

Shell
4
star
28

Make-Recovery-HD

Creates a Recovery HD on Mac OS X Lion Machines
Shell
4
star
29

docker-nginx-s3

An nginx image with ngx_aws_auth
Makefile
3
star
30

docker-r10k

Shell
3
star
31

recovery-hd-mountain-lion

Create Mountain Lion Recovery HD
Shell
3
star
32

printer-pkginfo

Creates a nopkg style pkginfo file to install a printer with Munki
Python
3
star
33

osupdate

Go
3
star
34

puppet-grahamconfig

The module that actually contains my Puppet config
Python
3
star
35

puppet-outset

Puppet module to manage Outset scripts and packages
Puppet
2
star
36

termux-dotfiles

Shell
2
star
37

puppet-munki_certs

Puppet
2
star
38

blog

My Blog
HTML
2
star
39

buildCrankPkg

Build a package to deploy CrankD
Python
2
star
40

docker-imagr_server

Python
2
star
41

shorty

A statically generated URL shortener
Python
2
star
42

vagrant-docker-bsdpy

Shell
2
star
43

puppet

Puppet
1
star
44

puppet-desktop_picture

HTML
1
star
45

puppet-SetupAssistantProfiler

HTML
1
star
46

docker-sal-puppetserver

Python
1
star
47

macdevops_2019

Python
1
star
48

docker-bsdpy

Python
1
star
49

macdevops_2019_munkireport

HCL
1
star
50

osquery-puppet-ext

Go
1
star
51

bootstrapapp

Example Flask bootstrap app
Python
1
star
52

docker-s3fs

Shell
1
star
53

autopkg-recipes

Python
1
star
54

docker-pgbouncer

Shell
1
star
55

docker-git-fat

Shell
1
star
56

terraform-repo

HCL
1
star
57

the-luggage-post-201308

Example Makefiles for The Luggage post on grahamgilbert.com
Shell
1
star
58

grahamgilbert.github.io

grahamgilbert dot com
HTML
1
star
59

crostini_setup

Shell
1
star
60

Lion_Kerio

A webapp for Mac OS X 10.7 Server to let it co-exist with Kerio Connect
1
star
61

puppet-wordpress

Puppet Module to configure a wordpress blog
Puppet
1
star
62

Postgres-Backup-for-Lion-Server

Script to back up the Postgres databases included in Lion server.
Shell
1
star