Closed noahtalerman closed 1 year ago
Is it possible to retrieve the FileVault recovery key via osquery?
Discussion is here in Slack (internal): https://fleetdm.slack.com/archives/C03B7K2MSNS/p1667313678928669
UPDATE: It is possible (noahtalerman 2022-11-02)
The following query can be used to retrieve the recovery key:
SELECT * FROM file_lines WHERE path='/var/db/ConfigurationProfiles/fdesetup.plist';
Note that this query returns more than just the recovery key. It returns the entire contents of the fdesetup.plist
file. We only need the recovery key.
Note that the file_lines
table is included in the macadmins osquery extension. This means this table is included by default in Fleet Desktop.
@zwass I assigned you this issue. Can you please create the child issues for this epic?
Please let me know if you have any thoughts/concerns about the plan for this feature.
cc @michalnicp
Please let me know if you have any thoughts/concerns about the plan for this feature.
cc @GuillaumeRoss
@mike-j-thomas I moved the action buttons on the Host details page (Transfer, Query, and Delete) into an Actions dropdown. This way, as we add more actions, the page stays compatible with smaller screen widths. What do you think?
Before:
After:
With the Actions dropdown, what do you think about showing tooltips when the user hovers over disabled actions?
I cover these questions in more details in this Loom video: https://www.loom.com/share/084adda32f774e0b9862527a942c42b2
Noah: My understanding is that an Activation Lock Bypass Code is used by an IT admin, when wiping a device that has the Activation Lock feature enabled.
It's likely Fleet should disable Activation Lock by default for new macOS hosts that automatically enroll to Fleet. I think Fleet can do this through the enrollment profile.
For migration, if Activation Lock is enabled and the host is owned by the organzation, it's likely we want to tell the IT admin to ask the device user to turn off Activation Lock: https://macadmins.slack.com/archives/C04QVP86E/p1664820734363249?thread_ts=1664818044.539729&cid=C04QVP86E
To do this, the user must sign out of the Find My feature.
The following notes are from the docs of another MDM solution: https://support.kandji.io/support/solutions/articles/72000558685-activation-lock
By default, user-based Activation Lock is not allowed on supervised devices.
If a user enabled user-based Activation Lock before enrollment, Activation Lock would remain enabled.
If the Mac has not been supervised by an MDM previously, a user-based Activation Lock bypass code will be generated by the Mac and retrieved by Kandji. However, this bypass code cannot be used retroactively to turn off the existing user-based Activation Lock previously initiated by the user when they turned on Find My Mac.
If the user turns off Find My Mac and later turns it back on, that is when the bypass code would be able to be used to turn off Activation Lock. For this reason, when migrating previously unmanaged devices into Kandji, if your users are currently signed in to Find My Mac, we recommend they turn it off before enrolling into Kandji.
If another MDM currently manages your Mac computers, we strongly encourage you to retrieve your activation lock bypass codes from your previous MDM solution before migration.
https://support.kandji.io/support/solutions/articles/72000560469-lock-device-and-erase-device
@zwass I unassigned you.
I think we want to require a new API route to retrieve the FileVault recovery key. This way, we can place different authentication and create an activity event for around viewing the recovery key. I'd like to bring this to product design review.
@lukeheath I assigned you this issue and moved it to the designed column.
This issue is a higher priority than any issue without the "!mdm" label.
@noahtalerman does this approach work on older mac versions?
Should work w/ macOS 10.15+
UPDATE: Updated the question below (noahtalerman)
@sharvilshah what's the quickest and most accurate way for me to test this query on older macOS versions? Is it likely that this query will work (return the same info) for older macOS versions?
SELECT * FROM file_lines WHERE path='/var/db/ConfigurationProfiles/fdesetup.plist';
@noahtalerman oh never mind...I see that it's in the requirements. Let's leave that, if the engineering team is comfortable with that requirement. No need for you to test it.
@noahtalerman This is in development, so I'm assigning the epic back to you.
@noahtalerman @lukeheath, @michalnicp found out that the value is set in fdsetup.plist
only when you encrypt the disk for the first time, if you rotate your encryption key this value doesn't get updated. (I was able to confirm this)
This means that we don't have any way to know if the key in fdsetup.plist
is the current recovery key for the host.
There's an specific MDM command to rotate the key: RotateFileVaultKey.
Admins are compelled to rotate keys periodically because (from the docs again):
Resetting a device deploymentʼs FileVaultMaster.keychain password periodically through Master Password rotation helps mitigate the risk of compromising the security of the deployed devices
There are already two PRs for this feature, do we want to move forward knowing this?
The only safe alternative I have found is to get the key through MDM as suggested by Michal in the research issue.
@roperzh @michalnicp Thank you for identifying and communicating this issue!
This means that we don't have any way to know if the key in fdsetup.plist is the current recovery key for the host.
In my opinion, this means it is not a viable approach.
The only safe alternative I have found is to get the key through MDM as suggested by Michal in the research issue.
This seems to be the only approach that will guarantee the security and accuracy of the key retrieved. Ultimately it will be a product decision for @noahtalerman and @zhumo
Thanks for following up @roperzh! I was going to create an issue for it, but didn't have enough time last week.
A brisk wind blows Data safe and secure, no keys lost Peaceful clouds above
A safe secure path For admins to gain access To user machines fast
Problem
IT admins use the FileVault (disk encryption) feature to require that macOS hosts use a password to unlock the disk.
If a contributor leaves an organization, the IT admin may need to see the data on the host. However, the IT admin doesn't have access to the contributor's password.
Currently, IT admins use their MDM solution to retrieve the FileVault recovery key (disk encryption key) that they can use to unlock the host. If the IT admin doesn't have an MDM solution or their MDM solution doesn't store the key, this makes it nearly impossible for the IT admin to unlock the host.
Business Case
Most, if not all, MDM solutions support storing the disk encryption key.
Requirements
disk_encryption_key
(instead offilevault_key
). This is because Windows called its disk encryption feature BitLocker. While macOS calls it FileVault.Design
UI
https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=10686%3A316128
Related
8961
Child issues
8708 (backend)
8709 (frontend)