How to create a recovery key for an encrypted disk image

encryptionSecurity

FileVault 2 is computing a recovery key when I decide to activate this security mode. This recovery key is a mandatory safety belt when someone wants to use serious cryptography.

Is it possible to create a recovery key in the same way for a crypted disk image created with Disk Utility or hdiutil?

I'm searching a solution around hdiutil for Lion, Mountain Lion, Mavericks and which could stand on future versions of MacOS X.

Best Answer

It is possible to do this using hdiutil and openssl. The essence of the solution is to use the -certificate option of hdiutil. This field expects a DER formatted certificate that will be used during the encryption. The certificate can be used later to decrypt the volume via the -recover option of hdutil.

10 year duration is used on the certificates below, you could use longer terms if desired. I haven't tested the effect of an expired certificate on the ability to decrypt the volume.

Fully test that you can decrypt using the recovery certificate before entrusting the encrypted volume with your data!

The steps are:

Create a Certificate Authority (CA) that will be used to sign your recovery certificate. You will be asked for a password. This should be unique for this signing key. The CA created can be used to sign many certificates.
```
% openssl genrsa -des3 -out ca.key 4096
% openssl req -new x509 -days 3650 -key ca.key -out ca.crt
```
Create a password protected certificate signing request (csr). The password requested in this step is your "recovery key".
```
% openssl genrsa -des3 -out recovery.key 4096
% openssl req -new -key recovery.key -out recovery.csr
```

Create the signed certificate in PEM format.

% openssl x509 -req -days 3650 -in recovery.csr \
-CA ca.crt -CAkey ca.key -set_serial 01 -out recovery.crt

Convert the signed certificate to DER format

% openssl x509 -in recovery.crt -inform pem \
-out recovery.der -outform der

Bundle the PEM certificate and private key into a PKCS#12 package. This package can be later imported into the keychain on a mac where a volume needs to be recovered. Protect this package as it can be used to access any volume encrypted using the contained certificate. For example, put it onto a thumb drive that is kept in a secure location.
```
% openssl pkcs12 -export -in recovery.crt -inkey recovery.key -out recovery.p12
```

Use hdiutil with both the -agentpass and -certificate options to create the encrypted volume.

% hdiutil create -type SPARSE -encryption aes-256 \
-certificate ~/recovery.der -agentpass -fs HFS+J \
-volname "Secure Docs" -size 20g ~/Secure

More discussion on this topic can be found at: http://thelowedown.wordpress.com/2008/11/27/data-encryption-for-mac-osx-sparse-images-with-enterprise-recovery/

The directions above are a combination of my own notes on creating certificates for websites plus instructions at the site above.

Best Answer

Related Solutions

How to make an expanding compressed encrypted disk image

What’s better? Truecrypt or Encrypted disk image

Related Question