Cauliflower Vest: end-to-end OS X FileVault 2 recovery key escrow solution

Wednesday, February 22, 2012

We are thrilled to announce the open source release of Cauliflower Vest, a solution that we’ve developed to automate enabling FileVault 2 and escrowing recovery tokens.

FileVault 2 is a major, welcome addition to Mac OS X starting with Lion, as full disk encryption is an important part of securing your computer and its data. While the new FileVault 2 offering is very well suited to consumers, some enterprises may require additional features that are not provided out of the box. For example, FileVault 2 encryption is initiated voluntarily by users, lacks enforcement, and, by default, escrows recovery keys to Apple’s central server. It also relies on individual Apple IDs, which cannot be managed as a group.

Cauliflower Vest bridges these feature gaps by allowing enterprise Mac admins to:
  • Forcibly enable FileVault 2 encryption.
  • Automatically escrow recovery keys to a secure Google App Engine server.
  • Securely access recovery keys so that volumes may be unlocked or reverted.

This release includes a GUI client to easily enable encryption, an escrow service, and a web UI for management. Also provided is a standalone CLI tool to automatically initiate encryption and generate a recovery key without requiring any user actions.

Employees at Google self-enable FileVault 2 using Cauliflower Vest - it’s tested and ready to help you make FileVault 2 part of your enterprise.

We are releasing this source code today as part of our commitment to share Google's unique IT approach with the world, including future releases of Simian and more.

For more information, please visit the Cauliflower Vest project page and join the discussion list.

Several Googlers made Cauliflower Vest possible: Anthony Lieuallen, Avi Drissman, Edward Marczak, Felix Gröbert, Greg Castle, John Randolph, Justin McWilliams, and Mark Mentovai.

By Edward Marczak, John Randolph and Justin McWilliams, Google Corporate Platforms Engineering Team