IronIzzy: FileVault Documentation - non DEP systems

Owned by Doug Heady (Unlicensed)
Last updated: Oct 16, 2023 by Jim Zajkowski
5 min read


Notice - Non DEP Systems Only

This document is for systems that do not use DEP for deployment. For DEP-enrolled systems, please see here.




FileVault full-disk encryption helps to prevent unauthorized access to the information on your startup disk.

FileVault on Izzy supported systems should only be enabled through the IzzyWeb interface by selecting the appropriate Policy Domain (typically: "Notebook + IronIzzy (encryption)")

FileVault is enabled through Izzy at build time, during the pairing process, by selecting the "Notebook + IronIzzy (encryption)" Policy Domain or by escalating the systems Policy Domain from "Desktop" to "Notebook + IronIzzy (encryption)" at a later time.

By enabling FileVault through Izzy an encryption recovery key (Unlock Code) is generated and securely transferred and stored in IzzyWeb. This Unlock Code can be used to access the system in cases where the password may have lost or compromised.

Also by enabling FileVault through IzzyWeb, pass-through authentication is enabled, so that the system user only needs to enter their password once to unlock the disk and access their user profile.

The most important process in turning on FileVault on an Izzy system is to "Enable Users…" that will be the primary user(s) on the system. This presents enabled accounts at the boot screen and enables pass through authentication to their user profile. Failing to do this correctly may deny user access to the system at a future point in time.


Steps to build an Izzy system with encryption and Enable Users

Build the system through the standard IzzyBoot process. During the Izzy "Pairing" process you will be given the option to select a Policy Domain. To build the system with encryption select the Policy Domain with "Notebook + IronIzzy (encryption)" as follows:


(The above example shows a system built in the Rackham Izzy organization. The above will vary by organization but you will see a "Notebook + IronIzzy (encryption)" option if available.)

Once the system has completely finished building and restarted, you'll be presented with the boot screen prompting for a Disk Password. The default disk password is biberli



After you have entered the Disk Password you will be presented with the Login Screen. It is recommended to first login with an account with admin credentials (typically a unit m- or # account created in Active Directory and placed in the appropriate AD admins group). The reason for this is that to Enable User in FileVault, the account must have admin credentials and exist locally on the system. (See Failure Error Below)


 

Adding User to the Boot Screen

Go to System Preferences > Security & Privacy

Select FileVault tab and unlock the preference pane ("Click the lock to make changes")

 

Once the preference pane is unlocked the "Enable Users…" button will be active. Select this button to be presented with a list of Users that can be activated for FileVault access.

 

Select "Enable User.." next to the account you want to enable and have the account owner enter their password. Select Okay.

The activated account with display with a green check. Select "Done" to close this window and complete the activation.


Filevault account activation is complete. Accounts can be added or removed as needed in the future. It is always good practice to restart the system and test the newly enabled accounts.
 


Obtaining the Disk Password (UnLock Code) from Izzy

Locate system in Izzy and open system record. Select "IronIzzy FileVault Management."

You will be presented with FileVault Management window containing the current Unlock Code


Verify a systems Policy Domain

Locate system in Izzy and open system record. Select "Rename System"

Verify Policy Domain



Enable User Error

You will see the following error if you attempt to enable a FIlevault user and the admin account has not previously logged into the system (exist locally on the system).




Encryption not starting on 10.13 loads

Supplemental updates on 10.13 are turning on core storage before Izzy can begin encryption when building new systems.  To remedy this, preform the following commands in Terminal and follow along with the embeded screenshots.

diskutil cs list

Shows us that a core storage volume is present and not encrypted.  Let's revert that back to a normal disk setup.

diskutil cs revert /

Once that completes, Reboot the computer so that IronIzzy can start encrypting.

Check on the computer status after the reboot to verify Izzy has kicked off encryption.  Diskutil should show us that the status is Offline and the volume is Checking.

diskutil cs list

Fdesetup will tell us what is going on with encryption. 

sudo fdesetup status

Reboot the computer one more time to be prompted with the filevauilt login screen.  After login you can verity the computer is encrypting with diskutil one last time.

diskutil cs list


If you run into any issues or have questions, reach out to us on Slack!