-
Notifications
You must be signed in to change notification settings - Fork 48
Preferences
Details on Crypt's preferences
Crypt stores its configuration info in the com.grahamgilbert.crypt preferences domain. By default, this info is stored in /Library/Preferences/com.grahamgilbert.crypt.plist, but you can also use MCX, configuration profiles, or /private/var/root/Library/Preferences/com.grahamgilbert.crypt, or a combination of these locations with the normal defaults precedence:
- MCX/Configuration profiles
- /private/var/root/Library/Preferences/com.grahamgilbert.crypt.plist
- /Library/Preferences/com.grahamgilbert.crypt.plist
(Scroll the table horizontally to see all columns -- GitHub's default view tends to hide the last column, which contains a description of the key.)
| Key | Type | Default | Description |
|---|---|---|---|
| ServerURL | string | None | The ServerURL preference sets your Crypt Server. Crypt will not enforce FileVault if this preference isn't set. |
| SkipUsers | array | None | An array of short usernames that will not be forced to enable FileVault. |
| RemovePlist | boolean | True | By default, the plist at /var/root/crypt_output.plist with the FileVault Key will be removed once it has been escrowed. If this is set to False the key will remain as root read only. |
| RotateUsedKey | boolean | True | As of v2.2.0 and ONLY ON HFS formatted disks Crypt can rotate the recovery key if the key is used to unlock the disk. There is a small caveat that this feature only works if the key is still present on the disk. |
| ValidateKey | boolean | True | If True, and the key is kept on disk Crypt will validate the recovery key. If the key fails validation, the plist is removed so it can be regenerated on next login. |
| OutputPath | string | /var/root/crypt_output.plist |
As of version 3.0.0 you can now define a new location for where the recovery key is written to. |
| KeyEscrowInterval | integer | 1 | As of version 3.0.0 you can now define the time interval in Hours for how often Crypt tries to re-escrow the key to Crypt-Server after the first successful escrow. |
| PostRunCommand | array | None | (Introduced in version 3.2.0) This is a command that is run after Crypt has detected an error condition with a stored key that cannot be resolved silently - either it has failed validation or the server has instructed the client to rotate the key. These cannot be resolved silently on APFS volumes, so the user will need to log in again. If you have a tool that can enforce a logout or a reboot, you can run it here. This preference can either be a string if your command has no spaces, or an array if there are spaces in the command. |
| GenerateNewKey | boolean | False | As of version 3.2.0 you can now rotate/generate a new key by setting this Preference to True it will be set back to False after a successful rotation, NOTE: Setting via a Profile will be ignored. |
DO NOT use a text editor or plist editor to edit preferences located at /Library/Preferences/com.grahamgilbert.crypt.plist or the equivalent files in /var/root/Library/Preferences. Editing macOS preferences in this way are likely to lead to unexpected or unwanted results, as your changes may be ignored by macOS's preference caching. Instead, if you must manually change the values of one or more Crypt preference, use the /usr/bin/defaults command. This is not unique to Crypt -- the same recommendations apply to changing any macOS preference.
If you script the setting of Crypt preferences, do not use PlistBuddy or any tool designed to manipulate plists, for the same reasons as above. Instead, use the /usr/bin/defaults tool or call the CFPreferences methods in CoreFoundation. (https://developer.apple.com/documentation/corefoundation/preferences_utilities?language=objc)
The other supported way to set and manage Crypt's preferences is to use configuration profiles. An example configuration profile can be found here.
If you use the /usr/bin/defaults command to set values for keys in com.grahamgilbert.crypt.plist, remember that values default to the string type. If you are writing a boolean, integer, or array value, be sure to add the appropriate type flag. For example:
/usr/bin/defaults write /Library/Preferences/com.grahamgilbert.crypt RemovePlist -bool falseSee man defaults for a complete list of type flags.