fleet
fleet copied to clipboard
fleetdm
Rotate FileVault (disk encryption) key w/o prompt
Goal
| User story |
|---|
| As an IT admin, |
| I want to escrow my end users' recovery key when they logout or restart their computer |
| so I can force key escrow, via MDM command (force restart) if the end user hasn't escrowed their key yet w/o having to deploy EscrowBuddy myself. |
Changes
- [ ] End user doesn't see "Reset key" button and dialog if they need to reset their disk encryption key. Instead, the key is automatically reset the next time they log in to their Mac
- Noah: I think we can use Escrow Buddy or imitate the approach it takes. Here's the Escrow Buddy project: https://github.com/macadmins/escrow-buddy
Product
- [ ] UI changes: https://www.figma.com/file/KWbFM5no5HUZsGPXhX3X0b/%F0%9F%94%B2-%5BTEMPLATE%5D-Starter-file-(Copy)?type=design&node-id=2-130&mode=design
- Why? Customers don't want end users to get password fatigue. All these tools prompting for passwords make it more likely for users to enter their passwords into something malicious. This also rhymes with breaches we've heard about recently where attackers sent bookoos of push notifications and people eventually started accepting them.
Engineering
- [ ] REST API changes: TODO
- [ ] Database schema migrations: TODO
- [ ] Documentation changes complete
Product quality
- [ ] QA complete
- [ ] ...
ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".
Context
- Requestor(s): _________________________
QA
Risk assessment
- Requires load testing: TODO
- Risk level: Low / High TODO
- Risk description: TODO
Manual testing steps
- Step 1
- Step 2
- Step 3
Testing notes
Confirmation
- [ ] Engineer (@____): Added comment to user story confirming succesful completion of QA.
- [ ] QA (@____): Added comment to user story confirming succesful completion of QA.
Maybe Fleet can use escrow buddy for this. FYI escrow buddy doesn’t support grabbing the credentials on lock. Only works for login or restart.
Noah: This is ok
@zayhanlon heads up that this customer request didn't make it into the upcoming sprint. I added it to FF because I think we should bring it in to next sprint.
took a quick look at escrow-buddy while I was waiting at the doctor today. Under the hood, they're using this plugin to hook into the authorization service and grab the user/password. It's really exciting that we can do this
- if all we care about is delivering this feature ASAP, then downloading escrow-buddy like we do for Nudge and swiftDialog is our best bet
- if we have more time and the capacity to think long term, it would be good to try to build a plugin of our own, so we can potentially build IdP integrations and other stuff using this system.
the challenge is that these are "low level" APIs and it's not super easy to interface with them using Go
@roperzh just curious, if the customer deployed escrow-buddy themselves, what changes would we have to make to Fleet to make the FileVault recovery keys show up in the Fleet UI?
Hey @zayhanlon heads up, this didn't make it into the current sprint. I'm going to bring it back to FF because I think we should weigh it for the next sprint.
Hy @Patagonia121 and @zayhanlon it looks like I forgot to pull this one off feature fest board after the last feature fest.
I just pulled it off.
Please bring back to FF if you want to discuss it.
@noahtalerman @marko-lisica Has this been implemented or something like it?
I am not sure I understand the user story. We are already escrowing the FV key on enroll, right?
What I would like to see is a way to automatically issue a new FV key if it is used or revealed in Fleet UI or if an admin clicks a button to issue a new FV key.
Thanks.
Added customer-sarahwu label. See: customer-sarahwu "MDM requirements" doc.
Hey @zayhanlon, @lukeheath, and @georgekarrv my understanding is that this story is blocking customer-rosner's migration so I think this story deserves a P2.
The plan it to bring this story to design review tomorrow. I expect it to be "Settled" but we won't have enough time to spec before estimation. Design review is right before estimation.
So, I think this means that we'll end up bringing this story through expedited drafting so that we can get it estimated before we kick off the next sprint.
What do y'all think?
@noahtalerman yeah that makes sense. I didn't originally add the label because I thought the issue was going to be settled and pulled in through the normal process. Thank you
Hey team! Please add your planning poker estimate with Zenhub @dantecatalfamo @ghernandez345 @gillespi314 @jahzielv
From customer voice: Let's remember to put this one at the top of the next sprint so that we can try to get it out in 4.55.
cc @zayhanlon @georgekarrv
Escrow Buddy is an authorization plug-in. Authorization plugins must be:
- Packaged as a bundle
- Compiled as a dynamic library (e.g.,
-buildmode=c-sharedin Go) - Installed at
/Library/Security/SecurityAgentPlugins
Ideally we could build the functionality into Orbit, but given these requirements, we still need to compile, distribute, and install a separate package even if we build something ourselves.
I think our options are:
- Use Escrow Buddy via TUF
- Explore and develop a solution that uses a different approach under the hood and can be integrated into Orbit
@roperzh I'm adding the release blocker label to this for 4.55 to make sure it makes sense. We'll hold the release if necessary, as this is becoming a blocker for multiple customers. Thanks for your hard work! Just let me know if you have concerns about getting it in.
QA Notes: Ran through two scenarios where the host would need to have their FV key rotated and escrowed and can confirm the new copy matches Figma, however I'm still getting prompted for a password on the host in order to reset the key.
Host details page copy change ✅
Device copy change ✅
Still seeing the Reset disk encryption key password prompt ❌
Scenario A Device was already enrolled in fleet but not encrypted. Moved it to a team with FV enforced
Scenario B Device was encrypted on a team with FV enforced. Turned encryption off for that team, then back on again.
*key rotation and escrow still works as expected once the user password is entered
cc: @roperzh
@PezHub sorry I didn't get to add proper QA steps yet. Sanity check: are you using fleetctl from a local TUF? needs to be a local build from main
started from scratch and confirmed I'm on latest mainplus I rebuilt fleetd from my local TUF (I see the Agent 42 now) but still getting the prompt. In fact now it has created a loop asking me for my password even after I enter it in and it says "successfully reset key". We can take a look at logs tomorrow.
Vincent on our team can help if needed as we implemented EscrowBuddy for all of our customers. Just in case!
@martinpannier thank you! you folks are awesome 💚. This is already implemented and going out in the next release. Gabe just found a bug related to the old way we used to escrow keys.
@PezHub thank you! I have a PR going with the fix https://github.com/fleetdm/fleet/pull/20935 I will ping you when it's merged.
After the fix was applied I ran thru the same scenarios above and confirmed my FV key successfully rotated and was escrowed in Fleet without a prompt asking for user password. QA Approved!
@noahtalerman just had a customer question on this, but will this feature work retroactively for users that are already enrolled?
just had a customer question on this, but will this feature work retroactively for users that are already enrolled?
@Patagonia121 my understanding is yes.
@roperzh please correct me if I'm wrong.
Hey @zayhanlon, @Patagonia121, @pintomi1989 and @dherder heads up that this customer/prospect request was shipped in 4.55 🎉
No nagging prompts, Keys rotate with seamless grace, Fleet's cloud city safe.
