FileVault 2 is computing a recovery key when I decide to activate this security mode. This recovery key is a mandatory safety belt when someone wants to use serious cryptography.
Is it possible to create a recovery key in the same way for a crypted disk image created with Disk Utility
or hdiutil
?
I'm searching a solution around hdiutil
for Lion
, Mountain Lion
, Mavericks
and which could stand on future versions of MacOS X.
Best Answer
It is possible to do this using hdiutil and openssl. The essence of the solution is to use the
-certificate
option ofhdiutil
. This field expects a DER formatted certificate that will be used during the encryption. The certificate can be used later to decrypt the volume via the-recover
option ofhdutil
.10 year duration is used on the certificates below, you could use longer terms if desired. I haven't tested the effect of an expired certificate on the ability to decrypt the volume.
Fully test that you can decrypt using the recovery certificate before entrusting the encrypted volume with your data!
The steps are:
Create a Certificate Authority (CA) that will be used to sign your recovery certificate. You will be asked for a password. This should be unique for this signing key. The CA created can be used to sign many certificates.
Create a password protected certificate signing request (csr). The password requested in this step is your "recovery key".
Create the signed certificate in PEM format.
Convert the signed certificate to DER format
Bundle the PEM certificate and private key into a PKCS#12 package. This package can be later imported into the keychain on a mac where a volume needs to be recovered. Protect this package as it can be used to access any volume encrypted using the contained certificate. For example, put it onto a thumb drive that is kept in a secure location.
Use
hdiutil
with both the-agentpass
and-certificate
options to create the encrypted volume.More discussion on this topic can be found at: http://thelowedown.wordpress.com/2008/11/27/data-encryption-for-mac-osx-sparse-images-with-enterprise-recovery/
The directions above are a combination of my own notes on creating certificates for websites plus instructions at the site above.