munkireport / filevault_escrow
Module for munkireport.
Installs: 8 394
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 4
Forks: 2
Open Issues: 0
This package is auto-updated.
Last update: 2024-12-20 05:57:19 UTC
README
Integration with the Crypt authentication plugin
The table provides the following information per client:
- enableddate - The data FileVault was enabled
- enableduser - Users added to the EFI login (authorized to unlock the drive)
- lvguuid - (CoreStorage) Logical Volume Group UUID
- lvuuid - (CoreStorage) Logical Volume UUID
- pvuuid - (CoreStorage) Physical Volume UUID
- recoverykey - The personal recovery key
- Also added is hddserial - The serial number of the hard drive
Remarks
The workflow:
-
Create a crypto key by calling
vendor/bin/generate-defuse-key
in the root of the munkireport directory. Add the resulting key to.env
asENCRYPTION_KEY=def00000505fe726...34
; -
Install and configure Crypt make sure to prevent the removal of the plist:
$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt RemovePlist -bool FALSE
The recovery key is encrypted before it enters the database and is decrypted after retrieval. Don't lose the encryption key or your recovery keys are lost forever!
You can specify the ServerURL in the crypt preferences to a special url that will respond in a way that the crypt client stops attempting to Escrow.
$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt ServerURL "http://munkireportURL/index.php?/module/filevault_escrow/index/"
The client will then checkin at munkireporturl/index.php?/module/filevault_escrow/index/checkin
.
Dependencies
This module is dependent on the filevault_status model to provide the current status of FileVault and to list the user accounts who are authorized to unlock the drive