Apple’s FileVault 2 encrypts the entire disk so all data contained therein (despite the number of users it’s shared with) is essentially scrambled to everyone except people that have the credentials to unlock the disk, decrypting the data. By design, FileVault grants this authorization only to the account that enables this feature; others can be added to the enabled list later.
This implementation gives the primary user (i.e., the user that enables FileVault initially) greater control, permitting that person to unlock the disk, decrypt data, and even remove FileVault altogether. The primary user will also receive the personal recovery key; if access to the account is lost, that person can unlock the disk to restore access to the data. A caveat: All of this rests on one single user with typically no centralized management of users allowed to unlock the disk; IT may or may not have access to the device for management; and worse, no method of accounting for recovery keys generated for each device in the organization.
Fortunately, Apple has included a command line-based way to essentially have your cake and eat it too by allowing for management of recovery keys, user account configurations to unlock the disks, and the ability to manage the devices in an ongoing manner that does not compromise user data or its confidentiality. Learn three ways to automate a FileVault deployment, including slight tweaks to better suit the needs of your organization.
Note: This article is included in the free PDF download Apple FileVault 2: Tips for IT pros.
- Administrative Mac computer or server with macOS Yosemite or later installed
- Client Mac computer(s) with macOS Yosemite or later installed
- Administrative credentials
- Switched network (optional, though highly recommended if deploying over the network)
How to automate FileVault with a personal recovery key for a single user
fdesetup enable -user UserName -outputplist > /path/to/share/filename.plist
This method will essentially enable encryption, add the stated user as an authorized account to unlock the disk, and generate a personal recovery key that gets written to a .plist file in a centralized location for safeguarding.
How to automate FileVault with personal recovery keys for multiple users
fdesetup enable -inputplist < /path/to/share/filename.plist -outputlist > /path/to/share/filename.plist
The method for adding multiple users while enabling FileVault is nearly identical to the single user command, except the Administrator creates a specially formatted .plist file (found below) that includes the usernames and passwords of all the accounts to be added to the FileVault authorized users list.
Note: While this method allows for the addition of multiple users, it does so by requiring the usernames and passwords of the accounts to be stored in plain text, which is a bad security practice. So, use this at your own risk.
fdesetup add -usertoadd UserName
If multiple users to a device must be authorized to unlock an encrypted disk, then using the -usertoadd switch followed by the user’s account name will add that account to the authorized list.
SEE: Encryption policy (Tech Pro Research)
How to automate FileVault with an institutional recovery key
fdesetup enable -keychain -norecoverykey
If keeping track of multiple keys creates too much administrative overhead when managing FileVault, then implementing an institutional key leveraging Keychain will provide the same level of recoverability while making things easier to manage.
For this deployment to work, the command only needs to be run on one computer, preferably an administrative station so that it creates the FileVaultMaster.keychain in the Keychain app. Once created, follow the steps outlined by Apple in its excellent write-up for configuring the keychain. Then, deploy it using your favorite method to each Mac in your environment and run the following command to turn on FileVault. The recovery key should be detected in the keychain for your institution.
Note: After enabling FileVault, each client device should be rebooted in order for the changes to take effect and begin the encryption process. By appending the -forcerestart switch to the end of each of the commands listed above, it will trigger each device to restart and complete the process.