Closed lukeheath closed 1 year ago
@noahtalerman Based on the conversation with @fx5 in Slack, it appears /var/db/ConfigurationProfiles/fdesetup.plist
is not a universal file, and the provided query will not work for many hosts. How would you like to handle this ticket?
Ok! Thanks for calling this out.
My understanding is that…
/var/db/.../fdesetup.plist
is sometimes the location for the FileVault key only if FileVault is turned on by MDM solution. This file is not present if the user turned on FileVault./var/db/.../fdesetup.plist
location is not used by all major MDM solution (SimpleMDM, Jamf, Kandji, JumpCloud) so we shouldn’t query this location for the key@sharvilshah and @fx5, is there a better location we could use?
The goal here is to be able to display the FileVault recovery key. I think it’s ok this requires that FileVault is turned on by a MDM solution.
cc @lukeheath
@noahtalerman as I understand it, this file location is probably only valid for the mdm solution/settings we are using.
this file location is probably only valid for the mdm solution/settings we are using.
I think the question is whether or not our MDM solution (the one we're building, not currently using), can extract the key and place it in the same location. I'm not sure who the best person to direct that question to is. @chiiph or @michalnicp do you have any insight here?
There may be a way to get the recovery key using mdm. According to Manage FileVault with mobile device management you can install a FDERecoveryKeyEscrow profile which will allow mdm to get the FDE_PersonalRecoveryKeyCMS field from the SecurityInfo command. There may be some additional work to decrypt it, but it should be possible. I don't know if this requires FileVault to be enabled by the user or via MDM.
If we go with this approach, I would strongly recommend against trying to save it back to a file on the device and using osquery to retrieve it again.
Michal: There may be a way to get the recovery key using mdm.
There is!
That said, a requirement for this issue was to get the key without using MDM. This way, both users who have MDM features turned on in Fleet and users who don't (some other MDM solution) can access the recovery key.
If there isn't a consistent location for the key, then we'll come back to using the MDM escrow functionality.
Frank: as I understand it, this file location is probably only valid for the mdm solution/settings we are using.
Got it. By MDM solution I assume you mean "SimpleMDM."
I ran the following query on all Mac hosts in dogfood, and I got the key for hosts using Fleet's MDM on dogfood and hosts using SimpleMDM:
SELECT * FROM file_lines WHERE path='/var/db/ConfigurationProfiles/fdesetup.plist';
@lukeheath can an engineer on the Interface team please test if there is a consistent location for the key? One possible way to do this is to see if the query returns the key for hosts using these MDM solutions: SimpleMDM, Jamf, Kandji, and JumpCloud. Maybe it makes sense to carve out a separate issue.
This way, we can confirm/deny that there is a consistent location for storing the FileVault recovery.
@noahtalerman
an an engineer on the Interface team please test if there is a consistent location for the key? One possible way to do this is to see if the query returns the key for hosts using these MDM solutions: SimpleMDM, Jamf, Kandji, and JumpCloud. Maybe it makes sense to carve out a separate issue.
No problem. I spec'd this as a separate research issue: #8746. It will take a bit of effort to install and test the various MDM solutions, so I'd like to estimate with the team so it can be allocated into the next release cycle.
I'd like to estimate with the team so it can be allocated into the next release cycle.
Makes sense. Thanks!
@mna Based on Mo's comment in #8746 we have approval to move forward with this ticket as spec'd.
Based on my research, we expect that SimpleMDM and Jamf can be configured to place the plist file in the filesystem, but Kandji and JumpCloud cannot.
We are most concerned with it working for our MDM solution, and any others will be a bonus.
@sharvilshah and @fx5, is there a better location we could use?
The goal here is to be able to display the FileVault recovery key. I think it’s ok this requires that FileVault is turned on by a > MDM solution.
@noahtalerman Not aware of any standard location per se, /Library/Application Support/...
could be a viable one as well.
There may be a way to get the recovery key using mdm. According to Manage FileVault with mobile device management you can install a FDERecoveryKeyEscrow profile which will allow mdm to get the FDE_PersonalRecoveryKeyCMS field from the SecurityInfo command. There may be some additional work to decrypt it, but it should be possible. I don't know if this requires FileVault to be enabled by the user or via MDM.
If we go with this approach, I would strongly recommend against trying to save it back to a file on the device and using osquery to retrieve it again.
Yep! Agree, and this will only work in the mdm-case (which is fine).
@mna Based on Mo's https://github.com/fleetdm/fleet/issues/8746#issuecomment-1318975417 in https://github.com/fleetdm/fleet/issues/8746 we have approval to move forward with this ticket as spec'd.
I think we are missing support for getting the recovery key when FileVault is enabled using Fleet MDM. It seems like we are assuming the recovery key can be found in /var/db/ConfigurationProfiles/fdesetup.plist
which is only the case if FileVault was enabled using SimpleMDM.
@noahtalerman @zhumo
@michalnicp Could Fleet MDM put the file in the same place?
@zhumo The method for getting the recovery key is described in https://github.com/fleetdm/fleet/issues/8708#issuecomment-1317573499. We could write it to a file on the host, but there may be security concerns and it would be additional (unecessary) work.
@michalnicp @zhumo it seems like we don't have a great understanding of how the /var/db/ConfigurationProfiles/fdesetup.plist
file gets created.
However, we do know that this file is being created by our dogfood MDM.
We also know when this file is created. The file is created if our dogfood MDM turns on FileVault. The file is not created if the end user turned on FileVault.
When I run this query in dogfood, I get my key (my host had FileVault turned on by dogfood):
SELECT * FROM file_lines WHERE path='/var/db/ConfigurationProfiles/fdesetup.plist';
Confirmed that /var/db/ConfigurationProfiles/fdesetup.plist
does get created. This location seems to be controlled by the OutputPath
in /Library/Preferences/com.apple.fdesetup.plist
which is created when deferred enablement is active.
See https://developer.apple.com/documentation/devicemanagement/fdefilevault for more info on the configuration profile to enable filevault.
@noahtalerman in regards to this:
Fleet admins, maintainers, and observers can see the disk encryption key for macOS hosts.
Is that valid across teams? Eg: I'm an admin on team "A" (not a global admin), can I read a host recovery key that belongs to team "B"?
edit: and also, if I belong to a team, can I read recovery keys from hosts without a team? ("global" hosts)
I'm an admin on team "A" (not a global admin), can I read a host recovery key that belongs to team "B"?
if I belong to a team, can I read recovery keys from hosts without a team?
@roperzh no to both. If I'm an admin (or maintainer or observer) on Team A I can only see information about hosts assigned to Team A.
I can't see recovery keys or any other info for hosts assigned to Team B.
I can't see recovery keys or any other info for hosts assigned to no team.
Create a dedicated API endpoint to retrieve the encryption key. Because this is an encryption key, we don't want to include it in the general details GET /host/{id} endpoint. Instead, we want to create a new endpoint at GET /host/{id}/encryption_key.
Why do we need a dedicated api endpoint? It sounds like we are planning to have the same permissions scheme for hosts as for the host encryption keys. If someone has permission to view a host, they also have permission to view the encryption key
Fleet admins, maintainers, and observers can see the disk encryption key for macOS hosts.
This also means the UI will need to make an extra api request.
@noahtalerman
@lukeheath updates from the "Disk encryption (FileVault) keys" call with Roberto and Mo:
@michalnicp
Why do we need a dedicated api endpoint? It sounds like we are planning to have the same permissions scheme for hosts as for the host encryption keys. If someone has permission to view a host, they also have permission to view the encryption key
This is because there is a requirement to record an activity item every time an encryption key is accessed.
@noahtalerman Got it. We have other MDM work to focus on, so I'll hold the frontend portion of this for now.
2022-12-8: Some option in UI to turn on FileVault with escrow. Creating a profile for the user the enables escrow when they select this option.
During the UX direction for MDM features (profiles + non-MDM settings + FileVault) call (2022-12-8), we decided that Fleet will use the SCEP cert + key for FileVault escrow.
We also decided to make FileVault a "clicky" option in the Fleet UI. Clicking something like "Turn on FileVault" in the UI will turn on FileVault with default settings (see below) and FileVault key escrow. This is covered by a separate issue here: #8961
This way, the user does not have to retrieve/generate a cert + key pair to escrow FileVault keys. Instead Fleet does this for the user.
Note that the user will generate and upload a profile with iMazing Profile Editor to modify macOS settings other than FileVault.
Here's a profile (XML) with the default FileVault settings:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>Defer</key>
<true/>
<key>DeferForceAtUserLoginMaxBypassAttempts</key>
<integer>3</integer>
<key>Enable</key>
<string>On</string>
<key>PayloadDisplayName</key>
<string>FileVault 2</string>
<key>PayloadIdentifier</key>
<string>com.apple.MCX.FileVault2.6E3A4FD5-5E08-49A3-AAC2-524AF922AB71</string>
<key>PayloadType</key>
<string>com.apple.MCX.FileVault2</string>
<key>PayloadUUID</key>
<string>6E3A4FD5-5E08-49A3-AAC2-524AF922AB71</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ShowRecoveryKey</key>
<false/>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>default-filevault</string>
<key>PayloadIdentifier</key>
<string>Noah-Talermans-MacBook-Pro.BEFAEF2E-5FFA-450D-873C-BF6EB1F14C12</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>BEFAEF2E-5FFA-450D-873C-BF6EB1F14C12</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
cc @zhumo @zwass @lukeheath @roperzh
@noahtalerman @lukeheath from the Configuration Profile Reference, under the "FDE Recovery Key Escrow Payload" payload description (emphasis mine):
If FileVault is enabled after this payload is installed on the system, the FileVault PRK will be encrypted with the specified certificate, wrapped with a CMS envelope and stored at /var/db/FileVaultPRK.dat. The encrypted data will be made available to the MDM server as part of the SecurityInfo command. Alternatively, if a site uses its own administration software, it can extract the PRK from the foregoing location at any time
I have verified that, if /var/db/FileVaultPRK.dat
doesn't exist, we don't get the encrypted key from the MDM SecurityInfo
command either.
So, we could keep the plan of getting the key from osquery which will allow us to move faster without having to worry about setting up mechanisms to ingest data from MDM (we'll probably eventually need to do this.)
Any thoughts?
@roperzh Thanks for noticing this! That is good news. I'm in favor of going back to retrieving the file with osquery. It solves one concern I had with the previous approach: storying the key in plaintext on the filesystem. Can we think of any cases where the key may not be updated?
Based on my testing, it gets updated as expected.
Note that we still need to install the file vault recovery escrow payload
Hey! We discussed this on slack a few days ago, but wanted to bring it here...
My understanding is that Roberto's research indicates that we would still need to implement the filevault escrow functionality. Since we're going to be implementing filevault escrow anyway, we should just use the established protocol rather than do it through osquery.
` is supported on 10.15+ only.
A haiku about this improvement:
Data secured safe and sound Fleet stores encryption key Peace of mind abounds
Problem
IT admins use the FileVault (disk encryption) feature to require that macOS hosts use a password to unlock the disk.
If a contributor leaves an organization, the IT admin may need to see the data on the host. However, the IT admin doesn't have access to the contributor's password.
Currently, IT admins use their MDM solution to retrieve the FileVault recovery key (disk encryption key) that they can use to unlock the host. If the IT admin doesn't have an MDM solution or their MDM solution doesn't store the key, this makes it nearly impossible for the IT admin to unlock the host.
Business Case
Most, if not all, MDM solutions support storing the disk encryption key.
Related
8709 (blocking)
Requirements
disk_encryption_key
(instead offilevault_key
). This is because Windows called its disk encryption feature BitLocker. While macOS calls it FileVault.Notes
The recovery key can be retrieved using the
SecurtyInfo
MDM command if File Vault Escrow is configured. There are three configuration profiles at play here:com.apple.security.FDERecoveryKeyEscrow
configures the escrowcom.apple.security.pkcs1
carries a certificate referenced by1
com.apple.MCX.FileVault2
enables file vaultImportant note:
com.apple.security.FDERecoveryKeyEscrow
needs to be installed before the disk is encrypted, otherwise you can't escrow the key. Some MDM solutions even send two different profiles, one with1
and2
above, and they only send3
after that is installed. Up to the developer to decide if we can send the three configs in a single profile.Recovery process
Configuration profile
First, send a configuration profile, here is a profile that enables FileVault and escrow at the same time (please look at the note above in regards to this)
enable-filevault-and-escrow.mobileconfig
fleet-mdm-apple-scep.key (private key)
A couple of notes:
a. There are no restrictions on the certificate/key pair as long as it's in PKCS#1 format, here I'm using the SCEP certificate generated by
fleetctl generate mdm-apple
b. If you want to use iMazing to generate your own profile instead of using this, you need to provide the certificate in DER format. c. Related tob
, iMazing sets the wrongPayloadType
for the certificate, you need to manually edit the file and set it tocom.apple.security.pkcs1
Escrow
Once the profile is installed and the disk has been encrypted, you can issue a
SecurityInfo
command, the response from the host contains a key namedFDE_PersonalRecoveryKeyCMS
.The content of
FDE_PersonalRecoveryKeyCMS
is a PKCS#7 envelope in DER format, base64 encrypted, so this is what I have done (I'm sure there's a better way, leaving this here just for reference)Design
UI
https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=10686%3A316128
Epic
8519
API
GET /hosts/{id}/encryption_key
:Tasks
1
2
3
GET /host/{id}
endpoint. Instead, we want to create a new endpoint atGET /host/{id}/encryption_key
.4
GET /host/{id}/encryption_key
endpoint is accessed, log as an activity item containing the user who accessed the key, and the host the key belongs to.5
6
docs/Using-Fleet/Permissions.md
).