Skip to content

Crypt after OS Updates and Upgrades

Jump to bottom Edit New page
Wesley Whetstone edited this page Aug 6, 2018 · 10 revisions

Updates and upgrades to macOS commonly remove Crypt from authorizationdb. This could lead to unexpected situations, such as the machine not being encrypted on first login, or Crypt loosing the ability to force FV2.

For Crypt to function, the following lines must be included in authorizationdb:

<string>Crypt:Check,privileged</string>
<string>Crypt:CryptGUI</string>
<string>Crypt:Enablement,privileged</string>

Presence of these lines can be confirmed via

/usr/bin/security authorizationdb read system.login.console

This can be managed via a configuration management tool (Puppet, Salt, ect), or via the following Munki checkinstall script, which will force a reinstall of Crypt if the authorizationdb entries are absent.

#!/usr/bin/python

from plistlib import readPlistFromString
from subprocess import check_output
import os

'''Checks to see if all the Crypt pieces are in the authorizationdb'''

def get_mechs():
  '''returns a list of all current authdb mechanisms'''
  cmd = ["/usr/bin/security", "authorizationdb", "read", "system.login.console"]
  cur_mech_plist = readPlistFromString(check_output(cmd))
  mechs_only = cur_mech_plist['mechanisms']
  return mechs_only

if not os.path.exists('/Library/Security/SecurityAgentPlugins/Crypt.bundle'):
    # crypt isn't installed we can exit early.
    exit(1)
mechs = ['Crypt:Check,privileged', 'Crypt:CryptGUI', 'Crypt:Enablement,privileged']
current_mechs = get_mechs()
for crypt_mech in mechs:
  if not crypt_mech in current_mechs:
    exit(0)
exit(1)
Add a custom footer
Add a custom sidebar
Clone this wiki locally