Sunday, 28 July 2013

FileVault 2 Escrow Servers

What is FileVault?
FileVault is Apple’s solution for securing a users files by encrypting them. The original version of FileVault (FileVault 1) was introduced with Mac OS X Panther (10.3) and continued through to Mac OS X Snow Leopard (10.6). FileVault 1 worked by storing the users home directory inside an encrypted disk image file, the rest of the contents of the hard disk where not encrypted. Later on security was further improved with the introduction of ‘Secure Virtual Memory’ whereby the contents of virtual memory stored on the hard disk was also encrypted, it was still the case that the rest of the hard disk was not encrypted.

FileVault 1 however had two major problems, firstly it had a reputation for reliability problems potentially losing all your personal files (unless you had a backup), and secondly because the entire hard disk was not encrypted it was possible for either the user to mistakenly store files outside their encrypted home directory, or for misbehaving applications to do so. As a result FileVault 1 was never accepted as being adequate for use by Governments or Enterprise customers especially in regulated industries like finance, law, and medicine. As a result Government and Enterprise customers would instead use products meeting the FIPS 140-2 security standard such as CheckPoint Full Disk Encryption, PGP Whole Disk Encryption, Sophos SafeGuard, or WinMagic SecureDoc Disk Encryption (all of which are available for both Mac and Windows computers).

Apple therefore with OS X Lion (10.7) introduced FileVault 2, this encrypts the entire hard disk like its competitors and can also encrypt external drives as well (for storing your backups). FileVault 2 in OS X Lion eventually gained FIPS 140-2 certification itself, and OS X Mountain  Lion also gained FIPS 140-2 certification in July 2013. FileVault 2 is regarded as being far more reliable than FileVault 1 and as it now encrypts the entire hard disk there is no danger of files accidently leaking outside the protected area.

What is Escrow?
With all encryption products you need to ensure you can still access the contents by knowing the correct security key. If you lose the key you lose the ability to access the files. Therefore most if not all such encryption products provide a means to generate a ‘recovery’ key if you lose your passcode either by a user being forgetful or a user leaving and you then wanting to gain access. FileVault 2 is no exception to this and Apple have provided such a mechanism. This is where the term Escrow comes in, a third-party stores (securely) the information needed to generate a recovery key. The rest of this article discusses the alternatives available to do this in-conjunction with Apple’s FileVault 2 software.

1. Using your Apple ID to store the recovery key
Many people may forget that Apple provide a means when you enable FileVault 2 to at the same time store your recovery key on Apple’s servers in your Apple ID account and this service is completely free of charge. This does count as an Escrow service with Apple acting as the third-party.
However some users may be unhappy with the fact another company is storing this information. It is also not designed to make it easy for an IT administrator to manage multiple computers.

2. Cauliflower Vest
This is free open source software written by Google. It allows setting up a central store of recovery keys with secure access making it much more suitable for an IT administrator to manage. It can also make the use of FileVault 2 compulsory ensuring the laptop is secure.
However it uses Google’s App Engine servers to store the information so again some users may not be happy with the thought someone else is storing their security keys.

3. Casper Suite
JAMF Software produce an extensive suite of management software for managing both Macs and iOS devices. This includes the ability to manage FileVault 2 both to enforce its use (like Cauliflower Vest) and to store the recover keys.
Unlike the previous two solutions as Casper Suite runs on your own servers you don’t have to worry about the possibility of a third-party having access to your security keys. This is however a commercial solution so you do have to buy the Casper Suite software and licenses.

4. Crypt Server
This is another free open source solution written this time by Graham Gilbert of It allows you to run your own server internally and securely store the recovery keys. It includes a matching client component so that like Casper Suite and Cauliflower Vest you can enforce the use of FileVault 2 encryption and automate the storing of the recovery keys.
Above is a page from the server web administration interface, below is what the client sees when they setup a computer.
Crypt Server was however originally written to run on a Linux Ubuntu Server. I have however worked out how to run it on an OS X Server using Apple’s software and instructions on how to do this are available here -


  1. Wow, much informative blog post, thanks for sharing these information with us. You are providing very good services to your client.

    Software escrow services