On Jan 19, 2011, at 2:26 PM, Henry B. Hotz wrote:
Is there a similar command which can be used to substitute a cert for the Master Password?
Seems silly to protect a single user that way if you can still use a plain old password as a go-around.
Henry,
I want to be sure I did not lose the intent of the original question, so please correct me if I misstate it in anyway -- I will correct it then!
Folks who want all of the in-depth discussion of FileVault, the encrypted storage and usage of keys should take a look at my whitepaper:
Best Practices for Using FileVault
and a related whitepaper...
Best Practices for Data Protection
As a short description here.... with a longer one in the FV document noted above...
I believe the reference to a "Master Password" is a bit misleading for IT folks when discussing FileVault. An Encrypted Container / Logical Volume (a.k.a Encrypted Disk Image) storing and protecting a User's Home Directory can be accessed by either of two paths: a) successful entry of User Credentials; or b) Having the FileVault Master Identity (Self-Signed Certificate & corresponding Private Key). The "Master Password" is a simplified method for 'joe/jane user' on their own to access the FileVault Master Identity when s/he is managing the complete system.
Methods of accessing Encrypted Container:
a) User Login 1) Entry of Username/Password at Login
PW -> PBKDF2: Password Based Key Derivation
Derived Key (Symmetric Key) is used to unwrap Data Key (Symmetric Key - AES-128)
Data Key is used to encrypt/decrypt the blocks of the logical volume
b) FileVault Master 2) Escrow of the FV Identity is usually done by IT
Best Practice, ONLY the Public Cert remains in the FileVaultMaster.keychain
IT makes the escrowed Private Key (or simply the escrowed keychain) available during recovery
IT unlocks access to Container and resets User Access Credential or extracts data of interest.
User Keychains can be protected by:
a) Password-based PBKDF2 Key generated from password used for Keychain
User's Default keychain for an account is created using Password used for account at creation time.
b) Smart Card-based Key obtained from Smart Card defined when using "systemkeychain -T token-protected-keychain-name"
-Shawn
__________________________________________________
__________________________________________________
MacOSForge Project Lead: Smart Card Services
__________________________________________________
11921 Freedom Drive, Suite 600, Reston VA 20190-5634
On Oct 13, 2010, at 1:37 PM, Shawn A. Geddis wrote:
Your most appropriate protection of the User's Login Keychain is to protect it with the Smart Card and not the PIN.
How do you do that ?
$ sudo systemkeychain -T /Volumes/<user>/Library/keychains/login.keychain
I notice this does not appear in the man page for systemkeychain (ie. 'man systemkeychain'), but it does appear in the 'usage' for systemkeychain ('$ systemkeychain') -- so many of you may never have known this. It has been around for quite sometime and I know I have conveyed it in many different forums, but there are many new people on these lists who may benefit from this.
$ systemkeychain
Usage: systemkeychain -C [passphrase] # (re)create system root keychain
systemkeychain [-k destination-keychain] -s source-keychain ...
systemkeychain -T token-protected-keychain-name
-Shawn