Yubico Forum

I'd like to encrypt my Mac but I'm also a bit concerned about whether or not it will even work... (The latest post I can find on Yubico support boards is from 6 months ago.)

Can this be done yet? If so, could Yubico produce an EXPLICITLY DETAILED instruction set? (I only ask for explicit instructions because 6-9 months ago I tried this and nearly lost access to all my data. Rather than me figuring this one on my own (via several calls to Yubico tech support) I'd think a runbook would be the easiest/best path for Yubico customers. I can't be the only person who wants to do this...)

I would also like to see this.
However, I can not see how this would be implemented. A mac can have a network connection before booting an encrypted drive but I think that it is not available for users to play with, and is probably only available for remote booting and so on.
Do note that this is plain speculation on my part. For some reason storing a static password in one slot of the yubikey and decrypting the drive that way does not work for me but has been reported to work, so that could be one option for you.
It's always a good thing to let apple know that support for yubikey should be implemented in the OS so don´t forget to mail them and let them know.

And remember Anyone who thinks that they are too small to make a difference has never tried to fall asleep with a mosquito in the room

It is quite easy to to set up your yubikey with the FileVault in OS X. You just use a static password preferably in combination with a short password you remember to create something similar to 2-factor.

Only thing that is very important is that you change the speed of the yubikey to 40ms otherwise the pre-boot authentication does not work. You can do that in the settings or tools tab of the personalization tool.

Thank you sir! That is awesome, I had not realized this. I was kind of disappointed that I was forced to use a static password to unlock FileVault2 but with your idea I can use a static password, remove the enter key and just add my own short one on the end of it. That is great! Now I don't need to be afraid to loose my yubikeys

Personally I keep the enter at the end and add my own short password at the beginning of the password, but that is a matter of preference.

IMO using static password with Yubikey completely defeats security

IF you just use the static password, insert the Yubikey during boot, press the key, then put it back on your keychain, it could have some benefit (like having a much longer/harder to crack password)

BUT

IF you use the Yubikey for anything else, you are bound to hit it from time to tame, pasting your password into whatever you're doing (like your terminal where it will show up in .bash_history unless erased) - this allows the password to show up in keyloggers, history, remote servers - wherever it ends...

It's a convenience feature, replaceable by a BatteryHorseStaplePassword easily.

What would make sense is using the smartcard component to store the private key for the FDE encryption.
With FileVault, this is impossible by design as the private key is stored on the drive and encrypted with passwords, but it "could" be possible to encrypt this private key with yubikey's key, thus having no password at all, and cracking key encryption is much harder (IMO?) than cracking a password for a key.
- This is however impossible at the moment, and would likely need support built-into the EFI firmware from Apple.

A different story is with encrypted images - those can be encrypted with a keychain-backed key, so you could use a Yubikey as a smartcard to protect some of your data - it's not FDE though so usability and security will suffer, but not by that much.

Hi all,

We use slot 2 with a static key, which is generated randomly at whatever length you need.

We then use this as dual authentication to allow users to login and unlock their screen saver.

While the static token isn't ideal, it is needed as the authentication mechanism needs to know what the key is to allow 2 factor authentication to work. Also if you use file vault on a mac or another encrypted platform the token is securely locked away until the user un-encrypts the drive.

I am currently looking at how we can use the static token to unlock FileVault as well.

OK so after apply my brain for more than 2 seconds i realised that its not possible to get the YubiKey to unlock the filevault as the entire disk is encrypted.

As this is Apple there is also no public TPM in which you can store key data etc in therefore I do not believe that it is possible at present to achieve this.