TweetFollow Us on Twitter

MacEnterprise: Migrating FileVault

Volume Number: 24
Issue Number: 10
Column Tag: MacEnterprise

MacEnterprise: Migrating FileVault

Moving FileVault-encrypted accounts to a new machine

By Greg Neagle, MacEnterprise.org

Another FileVault challenge

A few issues ago, we looked at implementing FileVault in an enterprise environment. FileVault is Apple's technology for securing the contents of a user's home directory. Your organization may wish to protect its users' data on company laptops, in case a laptop is lost or stolen. Using FileVault is one method to accomplish this goal.

In those earlier issues of MacTech, we looked at preparing for FileVault implementation, turning it on for a given user account, and options for managing, automating, and controlling the use of FileVault in your organization. Later, we looked at dealing with some of the day-to-day issues in dealing with FileVault-protected home directories, and methods for recovering from a lost FileVault password.

Moving FileVault Accounts

One thing not covered in the earlier articles is how you might move a FileVault-protected account and home directory from one machine to another. If you are giving a user a new machine, you may need to move his or her existing account and home directory to the new machine. For reasons best known to Apple, the Migration Assistant is of little help in this task - it refuses to migrate a FileVault user unless there are no other users on the target machine. If you have a machine built from a standard image, you may have one or more prebuilt user accounts, like a local administrative account, on the new machine and so the Migration Assistant refuses to move the FileVault-protected user account.

The advice given by the Migration Assistant is to turn off FileVault, move the account, and turn it back on. While this might work, it is problematic for several reasons:

You'll need the user's password, or at least their cooperation, to turn FileVault off. This requires more coordination between you and the user.

You'll need enough available space on the startup disk to make a duplicate of the contents of the user's FileVault-protected home folder. That space may not be available.

Decrypting and re-encrypting the FileVault-protected home directory can take a long time.

If you are using MCX to enforce FileVault, turning it off (and back on) can present a challenge, as the GUI options are disabled.

So it would be better if we could just move the FileVault-protected account as-is. Fortunately, it can be done, and really isn't that difficult - at least if you aren't afraid of the command line.

Basic Concepts

The basic ideas behind moving the FileVault account are simple:

Recreate the account information on the new machine.

Move the FileVault sparseimage or sparsebundle to the new machine.

Edit the account information to point to the FileVault disk image.

Of course, the devil is in the details. So let's get started!

Recreating the account

If you are using mobile accounts, recreating the account is easy. Just create a new mobile account for the user - either graphically, or via the command line. In Tiger, the relevant command-line tool is MCXCacher, located in

/System/Library/CoreServices/mcxd.app/Contents/Resources/

You call it like so:

cd /System/Library/CoreServices/mcxd.app/Contents/Resources
./MCXCacher -U usershortname

which should create a new mobile account for the network user.

For Leopard, the relevant tool is called createmobileaccount. It is located in /System/Library/CoreServices/ManagedClient.app/Contents/Resources.

It's called like this:

cd /System/Library/CoreServices/ManagedClient.app
cd Contents/Resources
./createmobileaccount -n usershortname

If you aren't using mobile accounts, you can manually recreate the account using the Accounts preferences pane, or the dscl command-line utility, but be sure the shortname, uid, and GeneratedUID of the recreated account match the original. The dscl utility can be of great help here, allowing you to read the appropriate values from the old account and write them to the new one:

oldmac:/ root# dscl . read /Users/localuser uid
dsAttrTypeNative:uid: 4389
newmac:/ root# dscl . create /Users/localuser uid 4389

Another challenge, if you are not using mobile accounts, is copying the stored password from the old account and machine to the new one, but this, too, can be done. The passwords are stored in /private/var/db/shadow/hash. For local accounts, the shadow files are named after the GeneratedUID of the user account:

root# dscl . read /Users/localuser GeneratedUID
GeneratedUID: 1DECD42B-52EB-4B89-B2B2-359F0623EB1F

So for "localuser" above, the password is stored in /private/var/db/shadow/hash/1DECD42B-52EB-4B89-B2B2-359F0623EB1F. To copy the password hash from the old machine to the new one, you'd just copy that file.

Move the FileVault disk image

The next step is easier. All you need to do is copy the FileVault disk image from the old machine to the new one. But first, let's do some prep work. If you recreated the account on the new machine, you may have a folder in /Users that is partially populated. We don't really need the contents of this folder, as we're going to replace it with the FileVault disk image. If your new machine is running Tiger, or you've recreated a purely local user, just remove all the contents:

newmac:/ root# rm -rf /Users/localuser/*

If your new machine is running Leopard, and you have recreated a mobile account, you should keep the .account directory inside the user's home folder. This stores cached account info and is used by the new External Accounts in Leopard.

newmachine:/ root# ls /Users/mobileuser
.CFUserTextEncoding   Movies
.account                     Music
Desktop                     Pictures
Documents                  Public
Downloads                  Sites
Library

You can remove everything else in the user's folder; just leave .account.

Let's look at the old machine for a second. You might see two relevant directories in /Users:

.localuser/
localuser/

If you look inside .localuser/, you'll see the sparseimage/sparsebundle. If you look in localuser/, you'll see an .autodiskmounted file. This happens when the FileVault disk image is not unmounted cleanly. The important bit is that you want to find and copy the sparseimage/sparsebundle, even if it's in a different directory than you were expecting.

One strategy to copy the FileVault disk image is to startup the old machine in FireWire target disk mode, connect it to the new machine, and use sudo cp or ditto to copy the sparseimage/sparsebundle. If you do this, it's probably a good idea to uncheck the "Ignore ownership" box in the Get Info window for the FireWire-connected volume. If you don't do this, you can manually reassign ownership of the FileVault image after the copy.

cp -pvr /Volumes/oldmac/Users/myuser/myuser.sparsebundle \ /Users/myuser/myuser.sparsebundle
chown -R myuser /Users/myuser/myuser.sparsebundle

If you cannot abide the command line, it is possible to do this completely from the Finder, but you'll need to first change the permissions and/or ownership of the various directories so you can read and write. Be sure to change ownership and permissions back when you are done copying.

When you are done copying, you should have a username.sparsebundle or username.sparseimage in /Users/username on the new machine. /Users/username and /Users/username/username.sparsebundle should be owned by username, and the owner should have read, write and execute permissions:

chown -R username /Users/username
chmod -R u+rwX  /Users/username

Editing the new account

We're almost there! We've recreated the account, and we've copied the FileVault disk image. But the recreated account has the wrong value for the HomeDirectory attribute. We need to fix that. While previous steps could be done without using the command line, I'm afraid that for this task you have no choice but to fire up the terminal.

newmac:/ root# dscl . read /Users/myuser HomeDirectory   
No such key: HomeDirectory

For a "normal" non-FileVault encrypted home directory, this attribute does not exist (the NFSHomeDirectory attribute does exist, but that's a different thing...) We need to create this attribute and point it to the FileVault disk image.

dscl . create /Users/myuser HomeDirectory '<home_dir><url>file://localhost/Users/myuser/myuser.sparsebundle</url></home_dir>'

The above command should be all one line. Substitute the correct username for "myuser" and in "myuser.sparsebundle". If the encrypted home directory is in the older FileVault format, substitute "sparseimage" for "sparsebundle".

If you did everything right, the user should now be able to log in on their new machine with their username and password and access their FileVault-encyrpted home directory. And maybe you've learned some things about FileVault, mobile accounts and the Directory Service along the way.

Wrapping up

To review:

We recreated the user account on the new machine, using MCXCacher or createmobileaccount if the account was a mobile account; or manually if it was a local account, ensuring the shortname, uid, and GeneratedUIDs matched.

For local accounts, we copied the shadow password file. (Recreating a mobile account generates this for us automatically)

We copied the FileVault disk image from the old machine to the new one.

We edited the local accounts' HomeDirectory attribute to point to the FileVault disk image.

That was a lot of work - but should have been faster than turning FileVault off, moving the account and data, and then turning it back on. Additionally, the user's password was not needed to move the account and data. Once you get this technique down, you might consider writing a script to do most of it for you, which is, of course, what I've done. Better would be to help persuade Apple to update the Migration Assistant to do this: if we can do it, so could the Migration Assistant!


Greg Neagle is a member of the steering committee of the Mac OS X Enterprise Project (macenterprise.org) and is a senior systems engineer at a large animation studio. Greg has been working with the Mac since 1984, and with OS X since its release. He can be reached at gregneagle@mac.com.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Ableton Live 11.3.11 - Record music usin...
Ableton Live lets you create and record music on your Mac. Use digital instruments, pre-recorded sounds, and sampled loops to arrange, produce, and perform your music like never before. Ableton Live... Read more
Affinity Photo 2.2.0 - Digital editing f...
Affinity Photo - redefines the boundaries for professional photo editing software for the Mac. With a meticulous focus on workflow it offers sophisticated tools for enhancing, editing and retouching... Read more
SpamSieve 3.0 - Robust spam filter for m...
SpamSieve is a robust spam filter for major email clients that uses powerful Bayesian spam filtering. SpamSieve understands what your spam looks like in order to block it all, but also learns what... Read more
WhatsApp 2.2338.12 - Desktop client for...
WhatsApp is the desktop client for WhatsApp Messenger, a cross-platform mobile messaging app which allows you to exchange messages without having to pay for SMS. WhatsApp Messenger is available for... Read more
Fantastical 3.8.2 - Create calendar even...
Fantastical is the Mac calendar you'll actually enjoy using. Creating an event with Fantastical is quick, easy, and fun: Open Fantastical with a single click or keystroke Type in your event details... Read more
iShowU Instant 1.4.14 - Full-featured sc...
iShowU Instant gives you real-time screen recording like you've never seen before! It is the fastest, most feature-filled real-time screen capture tool from shinywhitebox yet. All of the features you... Read more
Geekbench 6.2.0 - Measure processor and...
Geekbench provides a comprehensive set of benchmarks engineered to quickly and accurately measure processor and memory performance. Designed to make benchmarks easy to run and easy to understand,... Read more
Quicken 7.2.3 - Complete personal financ...
Quicken makes managing your money easier than ever. Whether paying bills, upgrading from Windows, enjoying more reliable downloads, or getting expert product help, Quicken's new and improved features... Read more
EtreCheckPro 6.8.2 - For troubleshooting...
EtreCheck is an app that displays the important details of your system configuration and allow you to copy that information to the Clipboard. It is meant to be used with Apple Support Communities to... Read more
iMazing 2.17.7 - Complete iOS device man...
iMazing is the world’s favourite iOS device manager for Mac and PC. Millions of users every year leverage its powerful capabilities to make the most of their personal or business iPhone and iPad.... Read more

Latest Forum Discussions

See All

Motorsport legends NASCAR announce an up...
NASCAR often gets a bad reputation outside of America, but there is a certain charm to it with its close side-by-side action and its focus on pure speed, but it never managed to really massively break out internationally. Now, there's a chance... | Read more »
Skullgirls Mobile Version 6.0 Update Rel...
I’ve been covering Marie’s upcoming release from Hidden Variable in Skullgirls Mobile (Free) for a while now across the announcement, gameplay | Read more »
Amanita Design Is Hosting a 20th Anniver...
Amanita Design is celebrating its 20th anniversary (wow I’m old!) with a massive discount across its catalogue on iOS, Android, and Steam for two weeks. The announcement mentions up to 85% off on the games, and it looks like the mobile games that... | Read more »
SwitchArcade Round-Up: ‘Operation Wolf R...
Hello gentle readers, and welcome to the SwitchArcade Round-Up for September 21st, 2023. I got back from the Tokyo Game Show at 8 PM, got to the office here at 9:30 PM, and it is presently 11:30 PM. I’ve done what I can today, and I hope you enjoy... | Read more »
Massive “Dark Rebirth” Update Launches f...
It’s been a couple of months since we last checked in on Diablo Immortal and in that time the game has been doing what it’s been doing since its release in June of last year: Bringing out new seasons with new content and features. | Read more »
‘Samba De Amigo Party-To-Go’ Apple Arcad...
SEGA recently released Samba de Amigo: Party-To-Go () on Apple Arcade and Samba de Amigo: Party Central on Nintendo Switch worldwide as the first new entries in the series in ages. | Read more »
The “Clan of the Eagle” DLC Now Availabl...
Following the last paid DLC and free updates for the game, Playdigious just released a new DLC pack for Northgard ($5.99) on mobile. Today’s new DLC is the “Clan of the Eagle" pack that is available on both iOS and Android for $2.99. | Read more »
Let fly the birds of war as a new Clan d...
Name the most Norse bird you can think of, then give it a twist because Playdigious is introducing not the Raven clan, mostly because they already exist, but the Clan of the Eagle in Northgard’s latest DLC. If you find gathering resources a... | Read more »
Out Now: ‘Ghost Detective’, ‘Thunder Ray...
Each and every day new mobile games are hitting the App Store, and so each week we put together a big old list of all the best new releases of the past seven days. Back in the day the App Store would showcase the same games for a week, and then... | Read more »
Urban Open-World RPG ‘Project Mugen’ Fro...
Last month, NetEase Games revealed a new free to play open world RPG tentatively titled Project Mugen for mobile, PC, and consoles. I’ve liked the setting and aesthetic since its first trailer, and today’s new video has the Game Designer and... | Read more »

Price Scanner via MacPrices.net

Apple AirPods 2 with USB-C now in stock and o...
Amazon has Apple’s 2023 AirPods Pro with USB-C now in stock and on sale for $199.99 including free shipping. Their price is $50 off MSRP, and it’s currently the lowest price available for new AirPods... Read more
New low prices: Apple’s 15″ M2 MacBook Airs w...
Amazon has 15″ MacBook Airs with M2 CPUs and 512GB of storage in stock and on sale for $1249 shipped. That’s $250 off Apple’s MSRP, and it’s the lowest price available for these M2-powered MacBook... Read more
New low price: Clearance 16″ Apple MacBook Pr...
B&H Photo has clearance 16″ M1 Max MacBook Pros, 10-core CPU/32-core GPU/1TB SSD/Space Gray or Silver, in stock today for $2399 including free 1-2 day delivery to most US addresses. Their price... Read more
Switch to Red Pocket Mobile and get a new iPh...
Red Pocket Mobile has new Apple iPhone 15 and 15 Pro models on sale for $300 off MSRP when you switch and open up a new line of service. Red Pocket Mobile is a nationwide service using all the major... Read more
Apple continues to offer a $350 discount on 2...
Apple has Studio Display models available in their Certified Refurbished store for up to $350 off MSRP. Each display comes with Apple’s one-year warranty, with new glass and a case, and ships free.... Read more
Apple’s 16-inch MacBook Pros with M2 Pro CPUs...
Amazon is offering a $250 discount on new Apple 16-inch M2 Pro MacBook Pros for a limited time. Their prices are currently the lowest available for these models from any Apple retailer: – 16″ MacBook... Read more
Closeout Sale: Apple Watch Ultra with Green A...
Adorama haș the Apple Watch Ultra with a Green Alpine Loop on clearance sale for $699 including free shipping. Their price is $100 off original MSRP, and it’s the lowest price we’ve seen for an Apple... Read more
Use this promo code at Verizon to take $150 o...
Verizon is offering a $150 discount on cellular-capable Apple Watch Series 9 and Ultra 2 models for a limited time. Use code WATCH150 at checkout to take advantage of this offer. The fine print: “Up... Read more
New low price: Apple’s 10th generation iPads...
B&H Photo has the 10th generation 64GB WiFi iPad (Blue and Silver colors) in stock and on sale for $379 for a limited time. B&H’s price is $70 off Apple’s MSRP, and it’s the lowest price... Read more
14″ M1 Pro MacBook Pros still available at Ap...
Apple continues to stock Certified Refurbished standard-configuration 14″ MacBook Pros with M1 Pro CPUs for as much as $570 off original MSRP, with models available starting at $1539. Each model... Read more

Jobs Board

Omnichannel Associate - *Apple* Blossom Mal...
Omnichannel Associate - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Read more
Cashier - *Apple* Blossom Mall - JCPenney (...
Cashier - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Blossom Mall Read more
Operations Associate - *Apple* Blossom Mall...
Operations Associate - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Read more
Retail Key Holder- *Apple* Blossom Mall - Ba...
Retail Key Holder- APPLE BLOSSOM MALL Brand: Bath & Body Works Location: Winchester, VA, US Location Type: On-site Job ID: 03YM1 Job Area: Store: Sales and Support Read more
Omnichannel Associate - *Apple* Blossom Mal...
Omnichannel Associate - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.