FileVault 2 uses the GeneratedUID user attribute to save who is permitted to unlock an encrypted volume. If the GeneratedUID of a user differs from what was generated (or pulled from LDAP) when FileVault 2 was enabled, the user will not be permitted to unlock the machine, as their account will appear to be unavailable at the EFI menu. Also, this causes the crash of System Preferences on their Mac whenever they try to access the Security & Privacy prefpane.
This problem arises when /usr/bin/mcxrefresh
runs and pulls a null
value or a value different than what is stored locally from LDAP (if the attribute isn't defined for the user in question or is defined incorrectly, respectively), overwriting the GeneratedUID stored locally (which is generated and only stored locally when FileVault 2 is enabled without a matching LDAP attribute).
In other words, if an apple-generateduid value exists in LDAP for a user and is mapped properly on the users Mac to the GeneratedUID attribute, FileVault 2 will not generate a new value, but will instead use the value stored in LDAP.
I was able to resolve this issue by adding an attribute called apple-generateduid
to the LDAP entry of any user experiencing this issue. I could generate a random value for this attribute in Python by running the following one-liner from my terminal:
python -c 'import uuid; print str(uuid.uuid4()).upper();'
This isn't the only step, however. You must also add a mapping for this attribute on the client side. This is easily done using the following steps:
- Open System Preferences.
- Click Users & Groups.
- Click Login Options.
- Click on the Unlock Icon.
- Under Network Account Server, click Edit.
- Click to highlight your directory server.
- Under Services, double-click on your directory service (in my case, it was LDAPv3)
- In the window that slides open, highlight your configuration name, and then click the Edit... button.
- Under Search & Mappings scroll down and single-click on Users to highlight it.
- Click the Add button (the left one).
- Choose GeneratedUID from the list of available Attribute Types.
- In the right column, click the Add button, and type
apple-generateduid
. Click OK to save the changes until you're back at the main System Preferences dialog.
- At this point a mapping from GeneratedUID to
apple-generateduid
has been created. Now when OS X looks up the GeneratedUID value it will get the value of apple-generateduid from the user in questions LDAP entry.
Finally, it's important that the locally stored value of GeneratedUID and value stored on LDAP match. Run the following command and make sure the two GeneratedUID values match:
dscl /Search search /Users GeneratedUID $(dscl . read /Users/$(echo $USER) GeneratedUID | cut -d " " -f2)
The software you are looking for is called "Digital Rights Management" software, often abbreviated to "DRM".
Searching for this term will find a wide range of third party tools and solutions for protecting your videos. The offerings will range from massive companies like Adobe with their Access solution to numerous smaller companies.
Protecting Streamed/Online Content
Controlling access to a video file to be played on viewer's computer is a difficult problem. Your best option is to provide online only access to your video content. By serving the video content yourself, you can more easily control access.
Have you considered using YouTube and their paid channel service?
Protecting Local Content
There is currently no built-in DRM mechanism included with Mac OS X. Requiring a user to install a third party video codec is likely to limit your audience.
However, Flash remains a popular plug-in and can be used to provide digital rights management. Flash works both in the web browser and for stand alone applications.
Searching for flash protect local video returns software claiming to support multiple platforms, including Apple:
We protect your software, video and content effectively against
illegal copies and sharing. On CD/DVD/BD, USB-Stick, in local networks
or via the Internet - We have the best solution for copy protection.
Robust content protection across
every screen is an essential part of any video monetization strategy.
Brightcove helps you protect your content and your business model with
the most advanced encryption and DRM technologies, as well as
geographic, time-based and user-based restrictions, to prevent
unauthorized access, downloads, and copying of your valuable content.
Multimedia OwnerGuard is designed to support a wide range of
Multimedia Files including (swf, flv, mp4, f4v, 3gp, avi, rm, mkv,
3gg, 3g2, mov, m4v, m4a, f4p, f4a, f4b, mp3, mpg, asf, wma, wmv, aac,
ogg, aif, flac). Now you can use full features of OwnerGuard DRM
Technology to protect and distribute your Flash SWF, FLV and many
other media files while OwnerGuard protects your digital ownership
rights.
Encrypt and protect Flash SWF files from decompilers. Protect not only Actionscripts, but also all images, sounds, buttons and sprites resources in your SWF files.
Try a Flash Based Solution
Try one of the Flash based video protection programs returned by the search above; I have no experience with any, so will not directly recommend one. The list above is extracted from the first page of Google results.
Best Answer
It's surprisingly simple.
/Library/Keychains/FileVaultMaster.keychain
/Library/Keychains/FileVaultMaster.cer
When you return to set a new password your old one will have been cleared.
Based on step 4 in How to create and deploy a recovery key for FileVault 2.