Rotate FileVault (disk encryption) key w/o prompt

[noahtalerman]

Goal

User story
As an IT admin,
I want to escrow my end users' recovery key when they logout or restart their computer
so Fleet that rotate FileVault keys, without prompting the end user for their local macOS password.

Context

• Product designer: @noahtalerman

Why? Two reasons:

• Customers don't want to have to nag end users to take the steps to rotate their key.
• Customers don't want end users to get password fatigue. All these tools prompting for passwords make it more likely for users to enter their passwords into something malicious. This also rhymes with breaches we've heard about recently where attackers sent bookoos of push notifications and people eventually started accepting them.

Changes

• [x] End user doesn't see "Reset key" button and dialog if they need to reset their disk encryption key. Instead, the key is automatically reset the next time they log in to their Mac
  • Noah: I think we can use Escrow Buddy or imitate the approach it takes. Here's the Escrow Buddy project: https://github.com/macadmins/escrow-buddy
• [x] Guide updates: https://github.com/fleetdm/fleet/pull/21202

Product

• [x] UI changes: Figma wireframes here.
• [x] REST API changes: None.
• [x] Changes to paid features: None. Disk encryption is Fleet Premium only.
• [x] Outdated documentation changes: Remove docs that mention the end user actions to reset their FileVault key.

Engineering

• [ ] Database schema migrations: TODO

Product quality

• [ ] QA complete
• [ ] ...

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

Context

• Requestor(s): _____

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

Noah: We want to verify that FileVault is enforced and the key is rotated and escrowed to Fleet if the customer already deployed a custom FileVault configuration profile using their old MDM solution (ex. MicroMDM)

• Without removing the old config profile, does Fleet successfully install the new (Fleet managed) FileVault profile over the old one? Does the IT admin see the states for Disk encryption in the Fleet UI (pending, verifying, verified)
• What does the end user see (if anything) when they log out and log back in? Any pop ups?

1. Step 1
2. Step 2
3. Step 3

Testing notes

Planned compatibility table:

	fleetd < v1.30	fleetd >= v1.30
Server < 4.55	OK/FileVault rotation uses system prompt	OK/FileVault rotation uses system prompt
Server >= 4.55	FileVault rotation disabled	Escrow Buddy

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

Maybe Fleet can use escrow buddy for this. FYI escrow buddy doesn’t support grabbing the credentials on lock. Only works for login or restart.

Noah: This is ok

[georgekarrv]

Hey team! Please add your planning poker estimate with Zenhub @gillespi314 @mna @roperzh

[noahtalerman]

@zayhanlon heads up that this customer request didn't make it into the upcoming sprint. I added it to FF because I think we should bring it in to next sprint.

[roperzh]

took a quick look at escrow-buddy while I was waiting at the doctor today. Under the hood, they're using this plugin to hook into the authorization service and grab the user/password. It's really exciting that we can do this

• if all we care about is delivering this feature ASAP, then downloading escrow-buddy like we do for Nudge and swiftDialog is our best bet
• if we have more time and the capacity to think long term, it would be good to try to build a plugin of our own, so we can potentially build IdP integrations and other stuff using this system.

the challenge is that these are "low level" APIs and it's not super easy to interface with them using Go

[noahtalerman]

@roperzh just curious, if the customer deployed escrow-buddy themselves, what changes would we have to make to Fleet to make the FileVault recovery keys show up in the Fleet UI?

[noahtalerman]

Hey @zayhanlon heads up, this didn't make it into the current sprint. I'm going to bring it back to FF because I think we should weigh it for the next sprint.

[noahtalerman]

Hy @Patagonia121 and @zayhanlon it looks like I forgot to pull this one off feature fest board after the last feature fest.

I just pulled it off.

Please bring back to FF if you want to discuss it.

[nonpunctual]

@noahtalerman @marko-lisica Has this been implemented or something like it?

I am not sure I understand the user story. We are already escrowing the FV key on enroll, right?

What I would like to see is a way to automatically issue a new FV key if it is used or revealed in Fleet UI or if an admin clicks a button to issue a new FV key.

Thanks.

[nonpunctual]

Added customer-sarahwu label. See: customer-sarahwu "MDM requirements" doc.

[noahtalerman]

Hey @zayhanlon, @lukeheath, and @georgekarrv my understanding is that this story is blocking customer-rosner's migration so I think this story deserves a P2.

The plan it to bring this story to design review tomorrow. I expect it to be "Settled" but we won't have enough time to spec before estimation. Design review is right before estimation.

So, I think this means that we'll end up bringing this story through expedited drafting so that we can get it estimated before we kick off the next sprint.

What do y'all think?

[zayhanlon]

@noahtalerman yeah that makes sense. I didn't originally add the label because I thought the issue was going to be settled and pulled in through the normal process. Thank you

[lukeheath]

@noahtalerman Makes sense to me. 👍

[georgekarrv]

Hey team! Please add your planning poker estimate with Zenhub @dantecatalfamo @ghernandez345 @gillespi314 @jahzielv

[noahtalerman]

From customer voice: Let's remember to put this one at the top of the next sprint so that we can try to get it out in 4.55.

cc @zayhanlon @georgekarrv

[georgekarrv]

P1.9 got it

[roperzh]

Escrow Buddy is an authorization plug-in. Authorization plugins must be:

• Packaged as a bundle
• Compiled as a dynamic library (e.g., -buildmode=c-shared in Go)
• Installed at /Library/Security/SecurityAgentPlugins

Ideally we could build the functionality into Orbit, but given these requirements, we still need to compile, distribute, and install a separate package even if we build something ourselves.

I think our options are:

1. Use Escrow Buddy via TUF
2. Explore and develop a solution that uses a different approach under the hood and can be integrated into Orbit

[lukeheath]

@roperzh I'm adding the release blocker label to this for 4.55 to make sure it makes sense. We'll hold the release if necessary, as this is becoming a blocker for multiple customers. Thanks for your hard work! Just let me know if you have concerns about getting it in.

[roperzh]

@lukeheath no concerns, thanks for the ping!

[PezHub]

QA Notes: Ran through two scenarios where the host would need to have their FV key rotated and escrowed and can confirm the new copy matches Figma, however I'm still getting prompted for a password on the host in order to reset the key.

Host details page copy change ✅

Device copy change ✅

Still seeing the Reset disk encryption key password prompt ❌

Scenario A Device was already enrolled in fleet but not encrypted. Moved it to a team with FV enforced

Scenario B Device was encrypted on a team with FV enforced. Turned encryption off for that team, then back on again.

*key rotation and escrow still works as expected once the user password is entered

cc: @roperzh

[roperzh]

@PezHub sorry I didn't get to add proper QA steps yet. Sanity check: are you using fleetctl from a local TUF? needs to be a local build from main

[PezHub]

started from scratch and confirmed I'm on latest mainplus I rebuilt fleetd from my local TUF (I see the Agent 42 now) but still getting the prompt. In fact now it has created a loop asking me for my password even after I enter it in and it says "successfully reset key". We can take a look at logs tomorrow.

[martinpannier]

Vincent on our team can help if needed as we implemented EscrowBuddy for all of our customers. Just in case!

[roperzh]

@martinpannier thank you! you folks are awesome 💚. This is already implemented and going out in the next release. Gabe just found a bug related to the old way we used to escrow keys.

---

@PezHub thank you! I have a PR going with the fix https://github.com/fleetdm/fleet/pull/20935 I will ping you when it's merged.

[roperzh]

@PezHub PR merged, moving this back to awaiting QA

[PezHub]

After the fix was applied I ran thru the same scenarios above and confirmed my FV key successfully rotated and was escrowed in Fleet without a prompt asking for user password. QA Approved!

[Patagonia121]

@noahtalerman just had a customer question on this, but will this feature work retroactively for users that are already enrolled?

[noahtalerman]

just had a customer question on this, but will this feature work retroactively for users that are already enrolled?

@Patagonia121 my understanding is yes.

@roperzh please correct me if I'm wrong.

[noahtalerman]

Hey @zayhanlon, @Patagonia121, @pintomi1989 and @dherder heads up that this customer/prospect request was shipped in 4.55 🎉

[fleet-release]

No nagging prompts, Keys rotate with seamless grace, Fleet's cloud city safe.