Add documentation specifying what confidential items Escrow Buddy is able to access

[pboushy]

Summary Escrow Buddy interacts during user login and appears to have access to password and maybe recovery key but it's unclear. Please document what confidential items it is able to access.

Additional Context

Many companies consider passwords to be confidential, and the filevault recovery key a high confidentiality item due to it being able to unlock the disk of an encrypted device.

It's unclear if Escrow Buddy has access to the user's password and recovery key during the process.

Can something be added to the documentation (README? Wiki) about the items Escrow Buddy can access? And any other security items you feel are pertinent.

p.s. I'm glad to detail out an answer and put it in the wiki if someone can just provide the basic answers of what it can access.

[homebysix]

Hi @pboushy - Thanks for your interest! Escrow Buddy is a macOS authorization plugin, and all authorization plugins have the capability to access certain data within the authorization "environment." Some of these are documented here.

To validate which ones Escrow Buddy accesses, it's best to refer to the code directly. Looking in EBMechanism.swift at line 79, you can see where we request the username from the auth environment, and line 93 is where we request the password. Looking in Invoke.swift at line 111, this is where the username and password are put into a dictionary which is then passed (line 159) as input into fdesetup, the binary within macOS that facilitates FileVault key regeneration. Neither the username nor password is used or stored outside of that fdesetup interaction.

Escrow Buddy does not need or seek access to the recovery key itself; that key is stored by fdesetup and retrieved during the response to the MDM SecurityInfo command, as mentioned here.

My question to you would be: how much of the above detail do you think is necessary to spell out in the readme or wiki, versus letting security-minded parties refer to the source code where it's actually implemented? I'd be happy to add a bit more detail, but not so much as to dissuade people from reading and understanding the code themselves.

[pboushy]

Hey Elliott,

I'd be happy to add a bit more detail, but not so much as to dissuade people from reading and understanding the code themselves.

You provided all the details I was looking for, but your point makes alot of sense.

My question to you would be: how much of the above detail do you think is necessary to spell out in the readme or wiki, versus letting security-minded parties refer to the source code where it's actually implemented?

How about in the wiki's FAQ a section be added for Security, and under that these three items be added:

Does Escrow Buddy access the FileVault Recovery Key? No, Escrow Buddy does not need or seek access to the recovery key itself; that key is stored by fdesetup and retrieved during the response to the MDM SecurityInfo command, as mentioned here.

Does Escrow Buddy store the user's password? Escrow Buddy is a macOS authorization plugin, and all authorization plugins have the capability to access certain data within the authorization "environment." Some of these are documented in Apple's Authorization Name Tags documentation. To validate the values that Escrow Buddy accesses, you/your company should review the code in this repo. (Hint: look for the constants listed in Apple's Authorization Name Tags documentation and how they're used)

Is Escrow Buddy signed and notarized? The PKG published on the releases page is signed and notarized.

[homebysix]

That looks like a good start - feel free to add to the FAQ wiki page. 👍

[pboushy]

I've added the content to the wiki and confirmed all the links work.