TweetFollow Us on Twitter

MacEnterprise: Migrating FileVault

Volume Number: 24
Issue Number: 10
Column Tag: MacEnterprise

MacEnterprise: Migrating FileVault

Moving FileVault-encrypted accounts to a new machine

By Greg Neagle, MacEnterprise.org

Another FileVault challenge

A few issues ago, we looked at implementing FileVault in an enterprise environment. FileVault is Apple's technology for securing the contents of a user's home directory. Your organization may wish to protect its users' data on company laptops, in case a laptop is lost or stolen. Using FileVault is one method to accomplish this goal.

In those earlier issues of MacTech, we looked at preparing for FileVault implementation, turning it on for a given user account, and options for managing, automating, and controlling the use of FileVault in your organization. Later, we looked at dealing with some of the day-to-day issues in dealing with FileVault-protected home directories, and methods for recovering from a lost FileVault password.

Moving FileVault Accounts

One thing not covered in the earlier articles is how you might move a FileVault-protected account and home directory from one machine to another. If you are giving a user a new machine, you may need to move his or her existing account and home directory to the new machine. For reasons best known to Apple, the Migration Assistant is of little help in this task - it refuses to migrate a FileVault user unless there are no other users on the target machine. If you have a machine built from a standard image, you may have one or more prebuilt user accounts, like a local administrative account, on the new machine and so the Migration Assistant refuses to move the FileVault-protected user account.

The advice given by the Migration Assistant is to turn off FileVault, move the account, and turn it back on. While this might work, it is problematic for several reasons:

You'll need the user's password, or at least their cooperation, to turn FileVault off. This requires more coordination between you and the user.

You'll need enough available space on the startup disk to make a duplicate of the contents of the user's FileVault-protected home folder. That space may not be available.

Decrypting and re-encrypting the FileVault-protected home directory can take a long time.

If you are using MCX to enforce FileVault, turning it off (and back on) can present a challenge, as the GUI options are disabled.

So it would be better if we could just move the FileVault-protected account as-is. Fortunately, it can be done, and really isn't that difficult - at least if you aren't afraid of the command line.

Basic Concepts

The basic ideas behind moving the FileVault account are simple:

Recreate the account information on the new machine.

Move the FileVault sparseimage or sparsebundle to the new machine.

Edit the account information to point to the FileVault disk image.

Of course, the devil is in the details. So let's get started!

Recreating the account

If you are using mobile accounts, recreating the account is easy. Just create a new mobile account for the user - either graphically, or via the command line. In Tiger, the relevant command-line tool is MCXCacher, located in

/System/Library/CoreServices/mcxd.app/Contents/Resources/

You call it like so:

cd /System/Library/CoreServices/mcxd.app/Contents/Resources
./MCXCacher -U usershortname

which should create a new mobile account for the network user.

For Leopard, the relevant tool is called createmobileaccount. It is located in /System/Library/CoreServices/ManagedClient.app/Contents/Resources.

It's called like this:

cd /System/Library/CoreServices/ManagedClient.app
cd Contents/Resources
./createmobileaccount -n usershortname

If you aren't using mobile accounts, you can manually recreate the account using the Accounts preferences pane, or the dscl command-line utility, but be sure the shortname, uid, and GeneratedUID of the recreated account match the original. The dscl utility can be of great help here, allowing you to read the appropriate values from the old account and write them to the new one:

oldmac:/ root# dscl . read /Users/localuser uid
dsAttrTypeNative:uid: 4389
newmac:/ root# dscl . create /Users/localuser uid 4389

Another challenge, if you are not using mobile accounts, is copying the stored password from the old account and machine to the new one, but this, too, can be done. The passwords are stored in /private/var/db/shadow/hash. For local accounts, the shadow files are named after the GeneratedUID of the user account:

root# dscl . read /Users/localuser GeneratedUID
GeneratedUID: 1DECD42B-52EB-4B89-B2B2-359F0623EB1F

So for "localuser" above, the password is stored in /private/var/db/shadow/hash/1DECD42B-52EB-4B89-B2B2-359F0623EB1F. To copy the password hash from the old machine to the new one, you'd just copy that file.

Move the FileVault disk image

The next step is easier. All you need to do is copy the FileVault disk image from the old machine to the new one. But first, let's do some prep work. If you recreated the account on the new machine, you may have a folder in /Users that is partially populated. We don't really need the contents of this folder, as we're going to replace it with the FileVault disk image. If your new machine is running Tiger, or you've recreated a purely local user, just remove all the contents:

newmac:/ root# rm -rf /Users/localuser/*

If your new machine is running Leopard, and you have recreated a mobile account, you should keep the .account directory inside the user's home folder. This stores cached account info and is used by the new External Accounts in Leopard.

newmachine:/ root# ls /Users/mobileuser
.CFUserTextEncoding   Movies
.account                     Music
Desktop                     Pictures
Documents                  Public
Downloads                  Sites
Library

You can remove everything else in the user's folder; just leave .account.

Let's look at the old machine for a second. You might see two relevant directories in /Users:

.localuser/
localuser/

If you look inside .localuser/, you'll see the sparseimage/sparsebundle. If you look in localuser/, you'll see an .autodiskmounted file. This happens when the FileVault disk image is not unmounted cleanly. The important bit is that you want to find and copy the sparseimage/sparsebundle, even if it's in a different directory than you were expecting.

One strategy to copy the FileVault disk image is to startup the old machine in FireWire target disk mode, connect it to the new machine, and use sudo cp or ditto to copy the sparseimage/sparsebundle. If you do this, it's probably a good idea to uncheck the "Ignore ownership" box in the Get Info window for the FireWire-connected volume. If you don't do this, you can manually reassign ownership of the FileVault image after the copy.

cp -pvr /Volumes/oldmac/Users/myuser/myuser.sparsebundle \ /Users/myuser/myuser.sparsebundle
chown -R myuser /Users/myuser/myuser.sparsebundle

If you cannot abide the command line, it is possible to do this completely from the Finder, but you'll need to first change the permissions and/or ownership of the various directories so you can read and write. Be sure to change ownership and permissions back when you are done copying.

When you are done copying, you should have a username.sparsebundle or username.sparseimage in /Users/username on the new machine. /Users/username and /Users/username/username.sparsebundle should be owned by username, and the owner should have read, write and execute permissions:

chown -R username /Users/username
chmod -R u+rwX  /Users/username

Editing the new account

We're almost there! We've recreated the account, and we've copied the FileVault disk image. But the recreated account has the wrong value for the HomeDirectory attribute. We need to fix that. While previous steps could be done without using the command line, I'm afraid that for this task you have no choice but to fire up the terminal.

newmac:/ root# dscl . read /Users/myuser HomeDirectory   
No such key: HomeDirectory

For a "normal" non-FileVault encrypted home directory, this attribute does not exist (the NFSHomeDirectory attribute does exist, but that's a different thing...) We need to create this attribute and point it to the FileVault disk image.

dscl . create /Users/myuser HomeDirectory '<home_dir><url>file://localhost/Users/myuser/myuser.sparsebundle</url></home_dir>'

The above command should be all one line. Substitute the correct username for "myuser" and in "myuser.sparsebundle". If the encrypted home directory is in the older FileVault format, substitute "sparseimage" for "sparsebundle".

If you did everything right, the user should now be able to log in on their new machine with their username and password and access their FileVault-encyrpted home directory. And maybe you've learned some things about FileVault, mobile accounts and the Directory Service along the way.

Wrapping up

To review:

We recreated the user account on the new machine, using MCXCacher or createmobileaccount if the account was a mobile account; or manually if it was a local account, ensuring the shortname, uid, and GeneratedUIDs matched.

For local accounts, we copied the shadow password file. (Recreating a mobile account generates this for us automatically)

We copied the FileVault disk image from the old machine to the new one.

We edited the local accounts' HomeDirectory attribute to point to the FileVault disk image.

That was a lot of work - but should have been faster than turning FileVault off, moving the account and data, and then turning it back on. Additionally, the user's password was not needed to move the account and data. Once you get this technique down, you might consider writing a script to do most of it for you, which is, of course, what I've done. Better would be to help persuade Apple to update the Migration Assistant to do this: if we can do it, so could the Migration Assistant!


Greg Neagle is a member of the steering committee of the Mac OS X Enterprise Project (macenterprise.org) and is a senior systems engineer at a large animation studio. Greg has been working with the Mac since 1984, and with OS X since its release. He can be reached at gregneagle@mac.com.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Latest Forum Discussions

See All

Bid farewell to Penacony as Honkai: Star...
Penacony has been a story of twists, exciting new characters, and strong allies, and soon Honkai: Star Rail will be finishing it with a bang. Version 2.3, fittingly titled Farewell Penacony, will be launching June 19th and will feature updates to... | Read more »
HoYoverse roll out their plans for Anime...
For those who are looking to book a getaway in July, you might give some thought to Los Angeles between the 4th and 7th, which just so happens to coincide with the Anime Expo 2024. Amongst all the storied attendees is HoYoverse, who will be... | Read more »
The first rule of Brok the InvestiGator...
Mobile gamers were recently able to get their hands on BROK the InvestiGator, a point-and-click following the adventures of the titular reptile, a detective who can solve crimes through wit or brawn. If you were one that chose the latter then... | Read more »
Diablo Immortal celebrates second annive...
It has been two years since Diablo Immortal launched and despite some very valid criticism of its business model, it has done pretty well for itself. The Tempest class also gives it a lot of grace. To celebrate this anniversary, the March of the... | Read more »
Pokemon GO pulls on its jersey for a foo...
There have been a lot of jokes about this, some by me, but Pokemon Go has genuinely done a lot of good by getting people out and about.Pokemon GO Fest 2024: Madrid is fast approaching, and Niantic has set up a new area in a bit to get people to... | Read more »
Stumble Guys dials up the calamity 1000%...
Credit where it is due, Stumble Guys has had a few top-class crossovers in its’ life; Dungeons and Dragons, Rabbids and SpongeBob Squarepants to name but a few. It is such a shame, though, that all of these have now been well and truly trounced... | Read more »
You’re going to need a bigger boat as wa...
I am sure we all know that Finding Nemo quote of fish being friends and not food, however, Play Together is going in a completely opposite direction with their latest update. Introducing the Monstrous Fish, these behemoths are proving themselves... | Read more »
Supercell's hotly anticipated Squad...
If you've ever picked up a mobile, even without looking at an App storefront, you will have heard of Supercell, the massive company behind Clash of Clans, Brawl Stars, and Clash Royale. Now, the catalogue grows as Squad Busters prepares to take... | Read more »
Top Mobile Game Discounts
Every day, we pick out a curated list of the best mobile discounts on the App Store and post them here. This list won't be comprehensive, but it every game on it is recommended. Feel free to check out the coverage we did on them in the links below... | Read more »
Osseous has a bone to pick with you as t...
We recently quelled the immense threat brought about by Zemouregal and the giant dragon Vorkath in Runescape, and you might think that earnt adventurers a little break, but no. Instead, Jagex has decided it is time to face off against an equally... | Read more »

Price Scanner via MacPrices.net

Could A Smarter Siri Infused With AI (‘Apple...
FEATURE – The iPhone is already smart, but it’s about to become more intelligent. AI — short for artificial intelligence — is widely expected to be the main topic of discussion at this year’s WWDC (... Read more
Update: For WWDC, Amazon has lowered prices o...
Amazon has every configuration and color of Apple’s M3 MacBook Airs now on sale for $170-$210 off MSRP, starting at only $899 shipped, as Apple holds their annual WWDC conference this week. Their... Read more
Deal Alert! 2nd-generation Apple AirPods on s...
Amazon has 2nd generation Apple AirPods on sale right now for only $79.99 shipped. That’s $50 (38%) off Apple’s MSRP. Their price is the lowest currently available for a new set of AirPods from any... Read more
13-inch M3 MacBook Airs on sale for $150-$200...
Amazon has every configuration and color of Apple’s 13″ M3 MacBook Air on sale for $150-$200 off MSRP, now starting at only $899 shipped. Their prices are the lowest available for these Airs among... Read more
Apple is now selling 13-inch M3 MacBook Airs...
Apple has Certified Refurbished 13″ M3 MacBook Airs now in stock for $170-$230 off MSRP, Certified Refurbished. Prices start at $929. These are the cheapest M3-powered MacBooks for sale at Apple and... Read more
Amazon is offering $150-$200 discounts on 15-...
Amazon is offering a $150-$200 discount on every configuration and color of Apple’s M3-powered 15″ MacBook Airs. Prices start at $1149 for models with 8GB of RAM and 256GB of storage: – 15″ M3... Read more
Apple is now selling 15-inch M3 MacBook Airs...
Apple has Certified Refurbished 15″ M3 MacBook Airs in stock today starting at only $1099 and ranging up to $260 off MSRP. These are the cheapest M3-powered 15″ MacBook Airs for sale today at Apple.... Read more
13-inch M3 MacBook Air prices drop to record...
B&H Photo is offering discounts on new 13-inch M3 MacBook Airs ranging up to $200 off MSRP ahead of Apple’s WWDC conference next week. Prices start at only $899! These are the lowest prices... Read more
Apple HomePods on rare sale for $20-$30 off M...
Best Buy is offering a $20-$30 discount on Apple HomePods this weekend on their online store. The HomePod mini is on sale for $79.99, $20 off MSRP, while Best Buy has the full-size HomePod on sale... Read more
Base 14-inch M3 MacBook Pro on sale for $1399...
Amazon and B&H Photo both have the base 14″ M3 MacBook Pro on sale for $200 off Apple’s MSRP, only $1399. Shipping is free at both retailers (free 1-2 day shipping at B&H): – 14″ M3 MacBook... Read more

Jobs Board

*Apple* Systems Administrator - JAMF - Activ...
…**Public Trust/Other Required:** None **Job Family:** Systems Administration **Skills:** Apple Platforms,Computer Servers,Jamf Pro **Experience:** 3 + years of Read more
*Apple* Systems Administrator - JAMF - Activ...
…**Public Trust/Other Required:** None **Job Family:** Systems Administration **Skills:** Apple Platforms,Computer Servers,Jamf Pro **Experience:** 3 + years of Read more
Operations Associate - *Apple* Blossom Mall...
Operations Associate - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Read more
Armed Security Officer - *Apple* Store - NA...
…provide services in which the client's health, safety, and security is our #1 priority. The Apple Store is located on the 2 nd floor of the 5 th Avenue Mall. Read more
Liquor Stock Clerk - S. *Apple* St. - Idaho...
Liquor Stock Clerk - S. Apple St. Boise Posting Begin Date: 2023/10/10 Posting End Date: 2024/10/14 Category: Retail Sub Category: Customer Service Work Type: Part Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.