FileVault: See disk encryption key

noahtalerman commented 1 year ago

Problem

IT admins use the FileVault (disk encryption) feature to require that macOS hosts use a password to unlock the disk.

If a contributor leaves an organization, the IT admin may need to see the data on the host. However, the IT admin doesn't have access to the contributor's password.

Currently, IT admins use their MDM solution to retrieve the FileVault recovery key (disk encryption key) that they can use to unlock the host. If the IT admin doesn't have an MDM solution or their MDM solution doesn't store the key, this makes it nearly impossible for the IT admin to unlock the host.

Business Case

Most, if not all, MDM solutions support storing the disk encryption key.

Requirements

Fleet admins, maintainers, and observers can see the disk encryption key for macOS hosts.
The API naming supports adding the same info for Windows later (cross-platform).
- Noah: I think this means that the name would be something like disk_encryption_key (instead of filevault_key). This is because Windows called its disk encryption feature BitLocker. While macOS calls it FileVault.
Event is tracked activity feed when a user looks at the key
Document how to log in to a host with the key (recovery instructions). The UI should link to these docs.
Document that Fleet stores the key
Update the fleetdm.com/transparency page to document that Fleet stores the key
Should work w/ macOS 10.15+

Design

UI

https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=10686%3A316128

If the Mac has not been supervised by an MDM previously, a user-based Activation Lock bypass code will be generated by the Mac and retrieved by Kandji. However, this bypass code cannot be used retroactively to turn off the existing user-based Activation Lock previously initiated by the user when they turned on Find My Mac.

If the user turns off Find My Mac and later turns it back on, that is when the bypass code would be able to be used to turn off Activation Lock. For this reason, when migrating previously unmanaged devices into Kandji, if your users are currently signed in to Find My Mac, we recommend they turn it off before enrolling into Kandji.

If another MDM currently manages your Mac computers, we strongly encourage you to retrieve your activation lock bypass codes from your previous MDM solution before migration.

Unlock pin

https://support.apple.com/guide/deployment/lock-and-locate-devices-depb980a0be4/web#:~:text=Lock%20a%20Mac%3A%20Mobile%20device,and%20validated%20by%20the%20Mac.

https://support.kandji.io/support/solutions/articles/72000560469-lock-device-and-erase-device

noahtalerman commented 1 year ago

@zwass I unassigned you.

I think we want to require a new API route to retrieve the FileVault recovery key. This way, we can place different authentication and create an activity event for around viewing the recovery key. I'd like to bring this to product design review.

noahtalerman commented 1 year ago

@lukeheath I assigned you this issue and moved it to the designed column.

This issue is a higher priority than any issue without the "!mdm" label.

zhumo commented 1 year ago

@noahtalerman does this approach work on older mac versions?

noahtalerman commented 1 year ago

Should work w/ macOS 10.15+

UPDATE: Updated the question below (noahtalerman)

@sharvilshah ~~what's the quickest and most accurate way for me to test this query on older macOS versions?~~ Is it likely that this query will work (return the same info) for older macOS versions?

SELECT * FROM file_lines WHERE path='/var/db/ConfigurationProfiles/fdesetup.plist';

zhumo commented 1 year ago

@noahtalerman oh never mind...I see that it's in the requirements. Let's leave that, if the engineering team is comfortable with that requirement. No need for you to test it.

lukeheath commented 1 year ago

@noahtalerman This is in development, so I'm assigning the epic back to you.

roperzh commented 1 year ago

@noahtalerman @lukeheath, @michalnicp found out that the value is set in fdsetup.plist only when you encrypt the disk for the first time, if you rotate your encryption key this value doesn't get updated. (I was able to confirm this)

This means that we don't have any way to know if the key in fdsetup.plist is the current recovery key for the host.

There's an specific MDM command to rotate the key: RotateFileVaultKey.

Admins are compelled to rotate keys periodically because (from the docs again):

Resetting a device deploymentʼs FileVaultMaster.keychain password periodically through Master Password rotation helps mitigate the risk of compromising the security of the deployed devices

There are already two PRs for this feature, do we want to move forward knowing this?

The only safe alternative I have found is to get the key through MDM as suggested by Michal in the research issue.

lukeheath commented 1 year ago

@roperzh @michalnicp Thank you for identifying and communicating this issue!

This means that we don't have any way to know if the key in fdsetup.plist is the current recovery key for the host.

In my opinion, this means it is not a viable approach.

The only safe alternative I have found is to get the key through MDM as suggested by Michal in the research issue.

This seems to be the only approach that will guarantee the security and accuracy of the key retrieved. Ultimately it will be a product decision for @noahtalerman and @zhumo

michalnicp commented 1 year ago

Thanks for following up @roperzh! I was going to create an issue for it, but didn't have enough time last week.

fleet-release commented 1 year ago

A brisk wind blows Data safe and secure, no keys lost Peaceful clouds above

fleet-release commented 1 year ago

A safe secure path For admins to gain access To user machines fast

fleetdm / fleet