Skip to content

Crypt after OS Updates and Upgrades

Rick Heil edited this page Oct 23, 2018 · 10 revisions

Updates and upgrades to macOS commonly remove Crypt from authorizationdb. This could lead to unexpected situations, such as the machine not being encrypted on first login, or Crypt loosing the ability to force FV2.

For Crypt to function, the following lines must be included in authorizationdb:

<string>Crypt:Check,privileged</string>
<string>Crypt:CryptGUI</string>
<string>Crypt:Enablement,privileged</string>

Presence of these lines can be confirmed via

/usr/bin/security authorizationdb read system.login.console

This can be managed via a configuration management tool (Puppet, Salt, ect), or via the following Munki checkinstall script, which will force a reinstall of Crypt if the authorizationdb entries are absent. If you are using AutoPkg, use the Crypt2 recipe from Graham's repo which includes this script already. If you are importing manually, be sure to update %version% in the script below to a string with the version of Crypt2 you are deploying with that pkginfo.

#!/usr/bin/python

'''This installcheck script template evaluates the installed version
of Crypt as well as if Crypt is included properly in the authdb.'''

from subprocess import check_output
from distutils.version import StrictVersion
import plistlib
import os

def get_mechs():
    '''returns a list of all current authdb mechs'''
    cmd = ["/usr/bin/security", "authorizationdb", "read", "system.login.console"]
    cur_mech_plist = plistlib.readPlistFromString(check_output(cmd))
    mechs_only = cur_mech_plist['mechanisms']
    return mechs_only

def get_crypt_vers():
    '''returns the installed version of the Crypt bundle'''
    plist = plistlib.readPlist("/Library/Security/SecurityAgentPlugins/Crypt.bundle/Contents/Info.plist")
    return plist["CFBundleShortVersionString"]

def main():
    '''Checks if Crypt is properly installed and up to date. Note that the version var
    below is auto-substituted by AutoPkg - if you are adding this installcheck manually,
    be sure to insert the proper version number.'''

    pkg_vers = %version%

    install_items = ['/Library/Security/SecurityAgentPlugins/Crypt.bundle',
                     '/Library/LaunchDaemons/com.grahamgilbert.crypt.plist',
                     '/Library/Crypt/checkin',
                     '/Library/Security/SecurityAgentPlugins/Crypt.bundle']
    for item in install_items:
        if not os.path.exists(item):
            # we are missing a needed file - Crypt is damaged or not installed
            exit(0)

    # check if Crypt is up to date
    installed_vers = get_crypt_vers()
    if StrictVersion(installed_vers) < StrictVersion(pkg_vers):
        # we are out of date compared to the pkg version
        exit(0)

    mechs = ['Crypt:Check,privileged', 'Crypt:CryptGUI', 'Crypt:Enablement,privileged']
    current_mechs = get_mechs()
    for crypt_mech in mechs:
        if not crypt_mech in current_mechs:
            # mechs are not in place
            exit(0)

    # all mechs in place and version is up to date
    exit(1)

if __name__ == "__main__":
    main()
Clone this wiki locally