-
Notifications
You must be signed in to change notification settings - Fork 47
ClientBeneathTheSurface
This page is an optional read for those that are interested in how the client works. It is not required for getting the client or server up and running.
The Cauliflower Vest client uses the same Apple API that is called when the "Enable FileVault..." button is clicked in the Security Preference Pane.
If you've used FileVault 2, you'��ve seen that a recovery key looks like this:
DT3F-D35F-4RV3-GVHE-IJMT-IZFZ
This is also called a "license plate" recovery key, and is the code that lets you access an encrypted disk without having the password. The Cauliflower Vest client starts encryption and returns the license plate recovery key. From there, the client passes the recovery key to the server over SSL, and the server encrypts the recovery key before storage.
Currently, Apple recommends using a keychain named FileVaultMaster.keychain for an encryption key for enterprise use.
This single keychain is a large security issue. First, once it's set, you can't rotate the private key. This means that anyone that gets a copy of the FileVaultMaster.keychain and password--like a help desk tech that needs to assist a user--will have access to the encrypted disk forever. You'd need to decrypt and re-encrypt the machine in order to combat this. This problem is amplified greatly if one uses the same FileVaultMaster.keychain for all of their machines in the enterprise.
Instead, Cauliflower Vest uses a unique recovery key per machine. This could have been implemented by using a unique FileVaultMaster.keychain per machine, or using the already-unique "license plate" recovery keys.