problems ingesting FileVault encrypted keys with newlines in them

[roperzh]

Fleet version: 4.31.1

🧑‍💻  Expected behavior

FileVault keys with newlines in it are correctly decrypted.

💥  Actual behavior

Sometimes, Fleet is not able to decrypt the key

More info

To get the contents of /var/db/FileVaultPRK.dat , base64-encoded we're using:

SELECT to_base64(group_concat(line, x'0a')) as filevault_key FROM file_lines WHERE path='/var/db/FileVaultPRK.dat'

but that's not good and sometimes fails because:

1. the order in which group_concat appends the lines is not deterministic, nor guaranteed to be the right order
2. we assume that 0a was the character used to split the line

An idea could be to write a custom table to retrieve the info base-64 encoded on the client.

some useful info from Lucas:

• Tables are split into little packages: https://github.com/fleetdm/fleet/tree/main/orbit/pkg/table
• Darwin tables are included here: https://github.com/fleetdm/fleet/blob/main/orbit/pkg/table/extension_darwin.go

[zayhanlon]

hello @roperzh  - do we expect this to be resolved by the sprint end next Friday?

[roperzh]

@zayhanlon probably a question for @georgekarrv !

[georgekarrv]

We will have this near the top of the bug priorities for this sprint but it also could push to next release.

[sabrinabuckets]

Tested with removal & regeneration of existing recovery key—key was successfully re-escrowed to Fleet. Tested multiple new host enrollments & verified recovery key is successfully escrowed.

Given the consistent successful escrowing & the extraordinarily niche (and difficult to test) scenario that created this issue, I am confident we should be clear here. @roperzh or @gillespi314 if either of you have any specific scenarios you would like me to test on Monday I am happy to dive back in, otherwise if there are no objections I'll move it along.

[fleet-release]

Ingesting keys with care, Fleet's harmony in air. Cloud city's secure layer.