homebysix
commented
6 years ago Hi @edcoolest - I've got two answers, and hopefully at least one of them is helpful:
First, there's definitely more automation possible with regard to displaying the password prompt to the end user. Although I prefer putting it in Self Service, one could easily just trigger it at the next recurring check-in, which would present the password prompt without the need for going to Self Service. I wouldn't do that myself, though, because I don't want to train people to enter their password into unexpected prompts.
Second, yes — if you know the password for an existing FileVault-authorized user, you can leverage that password to reissue the key automatically and invisibly. I personally wouldn't use expect to do this. Instead, I would do fdesetup changerecovery -norecoverykey -verbose -personal -inputplist << EOF followed by an inline plist that contains the necessary credentials, followed by EOF.
Of course, if you do create such a script, be careful where you store it and how you pass credentials into it. If an interested party were to obtain your management or admin password from a loosely-secured script, the possible issues could be more serious than a missing FV recovery key.
I am using the mentioned script in the self service where it's working perfectly (thank you for publishing sharing the script), yet I wish to know whether there is a way to automate the process? Is there a way to populate an admin pass to re-issue the recovery key same as we did for older OS's:
expect -c " log_user 0 spawn fdesetup changerecovery -personal expect \"Enter a password for '/', or the recovery key:\" send "AdminPass" send \r log_user 1 expect eof " >> /dev/null