macOS secure token, bootstrap token: FileVault encryption

Apple Platform Deployment Guidance: Using secure token, bootstrap token, and volume ownership in deployments

To view the current list of volume owners on a Mac computer with Apple silicon, you can run the following command:
sudo diskutil apfs listUsers /

If FileVault is in use, you can also use the following command to see user names and GUIDs together:
sudo fdesetup list -extended

sysadminctl -secureTokenStatus "$(whoami)"

How to add user accounts to a FileVault 2-enabled accounts list
sudo fdesetup add -usertoadd username

How to remove user accounts from a FileVault 2-enabled accounts list
sudo fdesetup remove -user username

list all filevault encrypted (only) usernames
sudo fdesetup list | sed 's;,.*;;'

How to remove user accounts by UUID from a FileVault 2-enabled accounts list

sudo fdesetup remove -uuid UUID_that_matches_user_account

Ownership is backed by cryptography protected in the Secure Enclave. For more information, see:

Apple Platform Security: Contents of a LocalPolicy file for a Mac with Apple silicon

Apple Platform Security: LocalPolicy signing-key creation and management

Links:
https://community.jamf.com/t5/jamf-pro/catalina-filevault-enablement/td-p/134562

https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/1/web/1.0

Mr. Macintosh: Apple releases long-awaited SecureToken documentation

https://krypted.com/bash/pull-list-filevault-encrypted-users-mac/

Travelling Tech Guy

travellingtechguy.eu's flow chart(s)
https://travellingtechguy.eu/ Thanks for these flowcharts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top
Share via
Copy link