Yubico Forum
https://forum.yubico.com/

OSX v10.9.4 "FileVault" via Neo Personalization Tool v3.1.14
https://forum.yubico.com/viewtopic.php?f=23&t=1453
Page 1 of 1

Author:  pknickles [ Sun Aug 31, 2014 9:14 pm ]
Post subject:  OSX v10.9.4 "FileVault" via Neo Personalization Tool v3.1.14

I'd like to encrypt my Mac but I'm also a bit concerned about whether or not it will even work... (The latest post I can find on Yubico support boards is from 6 months ago.)

Can this be done yet? If so, could Yubico produce an EXPLICITLY DETAILED instruction set? (I only ask for explicit instructions because 6-9 months ago I tried this and nearly lost access to all my data. Rather than me figuring this one on my own (via several calls to Yubico tech support) I'd think a runbook would be the easiest/best path for Yubico customers. I can't be the only person who wants to do this...)

Author:  skitapa [ Tue Nov 04, 2014 4:04 pm ]
Post subject:  Re: OSX v10.9.4 "FileVault" via Neo Personalization Tool v3.

I would also like to see this.
However, I can not see how this would be implemented. A mac can have a network connection before booting an encrypted drive but I think that it is not available for users to play with, and is probably only available for remote booting and so on.
Do note that this is plain speculation on my part. For some reason storing a static password in one slot of the yubikey and decrypting the drive that way does not work for me but has been reported to work, so that could be one option for you.
It's always a good thing to let apple know that support for yubikey should be implemented in the OS so donĀ“t forget to mail them and let them know.

And remember Anyone who thinks that they are too small to make a difference has never tried to fall asleep with a mosquito in the room :-)

Author:  mortenbendtsen [ Mon Nov 10, 2014 11:21 am ]
Post subject:  Re: OSX v10.9.4 "FileVault" via Neo Personalization Tool v3.

It is quite easy to to set up your yubikey with the FileVault in OS X. You just use a static password preferably in combination with a short password you remember to create something similar to 2-factor.

Only thing that is very important is that you change the speed of the yubikey to 40ms otherwise the pre-boot authentication does not work. You can do that in the settings or tools tab of the personalization tool.

Author:  skitapa [ Mon Nov 24, 2014 1:48 pm ]
Post subject:  Re: OSX v10.9.4 "FileVault" via Neo Personalization Tool v3.

mortenbendtsen wrote:
just use a static password preferably in combination with a short password you remember to create something similar to 2-factor.


Thank you sir! That is awesome, I had not realized this. I was kind of disappointed that I was forced to use a static password to unlock FileVault2 but with your idea I can use a static password, remove the enter key and just add my own short one on the end of it. That is great! Now I don't need to be afraid to loose my yubikeys :-D

Author:  mortenbendtsen [ Mon Nov 24, 2014 1:51 pm ]
Post subject:  Re: OSX v10.9.4 "FileVault" via Neo Personalization Tool v3.

skitapa wrote:
mortenbendtsen wrote:
just use a static password preferably in combination with a short password you remember to create something similar to 2-factor.


Thank you sir! That is awesome, I had not realized this. I was kind of disappointed that I was forced to use a static password to unlock FileVault2 but with your idea I can use a static password, remove the enter key and just add my own short one on the end of it. That is great! Now I don't need to be afraid to loose my yubikeys :-D


Personally I keep the enter at the end and add my own short password at the beginning of the password, but that is a matter of preference.

Author:  zviratko [ Fri Mar 13, 2015 3:12 pm ]
Post subject:  Re: OSX v10.9.4 "FileVault" via Neo Personalization Tool v3.

IMO using static password with Yubikey completely defeats security

IF you just use the static password, insert the Yubikey during boot, press the key, then put it back on your keychain, it could have some benefit (like having a much longer/harder to crack password)

BUT

IF you use the Yubikey for anything else, you are bound to hit it from time to tame, pasting your password into whatever you're doing (like your terminal where it will show up in .bash_history unless erased) - this allows the password to show up in keyloggers, history, remote servers - wherever it ends...

It's a convenience feature, replaceable by a BatteryHorseStaplePassword easily.

What would make sense is using the smartcard component to store the private key for the FDE encryption.
With FileVault, this is impossible by design as the private key is stored on the drive and encrypted with passwords, but it "could" be possible to encrypt this private key with yubikey's key, thus having no password at all, and cracking key encryption is much harder (IMO?) than cracking a password for a key.
- This is however impossible at the moment, and would likely need support built-into the EFI firmware from Apple.

A different story is with encrypted images - those can be encrypted with a keychain-backed key, so you could use a Yubikey as a smartcard to protect some of your data - it's not FDE though so usability and security will suffer, but not by that much.

Author:  CypherCookie [ Wed Jul 08, 2015 11:41 am ]
Post subject:  Re: OSX v10.9.4 "FileVault" via Neo Personalization Tool v3.

Hi all,

We use slot 2 with a static key, which is generated randomly at whatever length you need.

We then use this as dual authentication to allow users to login and unlock their screen saver.

While the static token isn't ideal, it is needed as the authentication mechanism needs to know what the key is to allow 2 factor authentication to work. Also if you use file vault on a mac or another encrypted platform the token is securely locked away until the user un-encrypts the drive.

I am currently looking at how we can use the static token to unlock FileVault as well.

Author:  CypherCookie [ Wed Jul 08, 2015 12:48 pm ]
Post subject:  Re: OSX v10.9.4 "FileVault" via Neo Personalization Tool v3.

OK so after apply my brain for more than 2 seconds i realised that its not possible to get the YubiKey to unlock the filevault as the entire disk is encrypted.

As this is Apple there is also no public TPM in which you can store key data etc in therefore I do not believe that it is possible at present to achieve this.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/