marcomc.macos_filevault2

Panoramica Versioni Approfondimenti

FileVault2 Ansible Role for macOS

This Ansible role allows you to turn on FileVault2 on macOS (version 10.7 or newer) using the fdesetup command.

It is used in Splinter, a deployment tool for macOS.

Example Playbook

Here’s an example of how to use this role in an Ansible playbook:

- vars:
    filevault_additional_users_and_passwords:
      - { username: "testuser", password: "test_password" }
    filevault_certificate: yes
    filevault_certificate_file: "/path/to/my/DER.cer"
    filevault_showrecoverykey: yes
    filevault_user_password: "user's password to activate FileVault"

- hosts: localhost
  roles:
    - marcomc.macos_filevault2

Variables

The options for enabling FileVault2 are:

  • fdesetup enable
    • [-outputplist]
    • [-forcerestart]
    • [-authrestart]
    • [-keychain | [-certificate path_to_cer_file]]
    • Optional:
      • [-defer file_path]
      • [-forceatlogin max_cancel_attempts]
      • [-dontaskatlogout]
      • [-showrecoverykey]
      • [-norecoverykey]
      • [-verbose]

Each option corresponds to an Ansible variable, with additional options for more features.

Common Variables:

  • verbose: no
  • filevault_user: "{{ ansible_user_id }}"
  • filevault_user_password: "{{ ansible_become_pass }}"
  • filevault_additional_users_and_passwords: []
  • filevault_cerificate: no
  • filevault_certificate_file: ""
  • filevault_norecoverykey: no
  • filevault_recovery_key_output_file: "~/Desktop/{{ ansible_hostname }}-personal-recovery-key.txt"

Using Custom Input List

You can create your own input plist if needed. If you don’t provide one, it will generate one automatically using the provided user details.

Setting an Institutional Recovery Key

You can either:

  • Deploy a pre-generated Keychain recovery key
  • Use a DER certificate to create a recovery key on-the-fly

Certificate Option

Use a certificate file to automatically create a recovery key. The certificate must be named "FileVault Recovery Key". You can create this using the built-in tools provided by Apple or use a specific script.

Keychain Option

If you choose this, ensure you have created a Keychain file named FileVaultMaster.keychain, with the recovery key included but without the private key.

Unlocking a User's Startup Disk

If a user forgets their password, you can unlock their disk using the private key from the original FileVaultMaster.keychain. Here’s how:

  1. Start from macOS Recovery by holding Command-R.
  2. Connect the drive with your recovery key.
  3. Open Terminal from the Utilities menu.
  4. Unlock the Keychain:
    security unlock-keychain /path/to/FileVaultMaster.keychain
  5. Unlock the encrypted startup disk:
    • For APFS disks:
      diskutil ap unlockVolume "Name of the Encrypted Drive" -recoveryKeychain /path/to/FileVaultMaster.keychain
    • For HFS+ disks:
      diskutil cs list  # find UUID
diskutil cs unlockVolume {UUID} -recoveryKeychain /path/to/FileVaultMaster.keychain

License

This project is licensed under the MIT License.

Author

Marco Massari Calderone (c) 2020 - marco@marcomc.com

Informazioni sul progetto

Ansible role to configure FileVault2 on macOS. Also used in Splinter provisioning tool.

role encryption fdesetup filevault security system
Installa
ansible-galaxy install marcomc.macos_filevault2
GitHub repository
2 stelle
0 fork
0 problemi aperti
Licenza
mit
Download
117
Proprietario
Marco MC
Biker, tinkerer, Dev Ops something...