PDA

View Full Version : 10.8 Server with FileVault




unplugme71
Aug 11, 2013, 10:36 AM
I have a Mac Mini running 10.8.4 Server and I'm interested in turning FileVault on.

On a server without filevault, I can restart the computer remotely and after the computer boots up, it goes to the login window. Meanwhile, the server OS is up and running and allows for services to be used. With filevault, does the OS not boot up until you login? So how can one use the server with FileVault being headless? Or is it not possible to use File Vault on servers?



Weaselboy
Aug 11, 2013, 10:53 AM
I have not used FV with Server, but I do use FV on Mountain Lion client and when you boot and get the login screen you are actually at that point only running off a boot stub on the recovery partition and the entire OS partition is still locked. So I am going to say you can't do what you are asking with FV on.

alexrmc92
Aug 11, 2013, 08:11 PM
I have not used FV with Server, but I do use FV on Mountain Lion client and when you boot and get the login screen you are actually at that point only running off a boot stub on the recovery partition and the entire OS partition is still locked. So I am going to say you can't do what you are asking with FV on.

Although i haven't tested this myself, i'm going to agree. From what i can tell FV requires a password to finish the boot process, which wont work for a headless system unless you have an XServe with LOM.

unplugme71
Aug 12, 2013, 06:35 PM
That's what I figured. I guess the assumption is the Mac Mini running a Server OS would be located in a physically secure location.

talmy
Aug 13, 2013, 11:32 AM
I solved this problem by having a system boot partition without FileVault and having a second partition that is encrypted. I don't keep anything sensitive on the unencrypted partition. I admit that I don't know how to move the databases for Contact and Calendar servers off of this partition, but I don't consider that data sensitive. I haven't tested to see if the encrypted drives are accessible before I log in since I always need to log in after power up to run services that aren't really services.

unplugme71
Aug 13, 2013, 06:23 PM
I solved this problem by having a system boot partition without FileVault and having a second partition that is encrypted. I don't keep anything sensitive on the unencrypted partition. I admit that I don't know how to move the databases for Contact and Calendar servers off of this partition, but I don't consider that data sensitive. I haven't tested to see if the encrypted drives are accessible before I log in since I always need to log in after power up to run services that aren't really services.

I ended up just putting a firmware password on the mac mini server. The login passwords were strengthened some more. My external drive that connects to the mini just hosts iTunes and iPhoto libraries, so there's nothing extremely important anyway.

I'm just trying to think of better ways to manage a home network with server. The one thing I like about PHD is the ability to sync my HomeDir with any of the Macs I log onto. However, since this data is not encrypted on the Mini server, I'm starting to wonder if the benefit outweighs the security risk.

ZMacintosh
Aug 14, 2013, 02:34 PM
it is not recommended to have filevault turned on for your OS X server.
any user who connects to the server, that data will be encrypted unless theyre on FTP.

I'd highly recommend going through the server essentials guide and the 10.8 Server Admin page on Apple.com. good resources there to help secure your server.

mwhities
Aug 14, 2013, 03:00 PM
This site:

http://www.mountainlionserver.com/

Has helped me out a lot.

kirdes
Aug 23, 2013, 09:41 AM
I have a Mac Mini running 10.8.4 Server and I'm interested in turning FileVault on.

On a server without filevault, I can restart the computer remotely and after the computer boots up, it goes to the login window. Meanwhile, the server OS is up and running and allows for services to be used. With filevault, does the OS not boot up until you login? So how can one use the server with FileVault being headless? Or is it not possible to use File Vault on servers?

There's a special reboot command for this particular case, details here:

http://blog.macminicolo.net/post/32419058726/restart-a-remote-mac-that-is-running-filevault-2

talmy
Aug 23, 2013, 09:57 AM
There's a special reboot command for this particular case, details here:

http://blog.macminicolo.net/post/32419058726/restart-a-remote-mac-that-is-running-filevault-2

That will allow you to manually reboot, however if the system shuts down for any reason (such as a power failure) you are unable to start it without a keyboard attached.

unplugme71
Aug 26, 2013, 09:52 AM
That will allow you to manually reboot, however if the system shuts down for any reason (such as a power failure) you are unable to start it without a keyboard attached.

Yup. Even if the 'restart after power failure' option is enabled. You are still screwed. Luckily with a mac mini server in a data center, you should have a better chance at winning the lottery than losing power. At least you'd hope so.

talmy
Aug 26, 2013, 12:00 PM
Yup. Even if the 'restart after power failure' option is enabled. You are still screwed. Luckily with a mac mini server in a data center, you should have a better chance at winning the lottery than losing power. At least you'd hope so.

The only reason to use FileVault is physical security, an issue with a home server. However one would hope that the data center is secure, in which case FileVault is of marginal usefulness anyway. In any case the workaround of using a small, unencrypted boot partition and putting everything of importance on an encrypted partition works fine.

unplugme71
Aug 26, 2013, 10:11 PM
The only reason to use FileVault is physical security, an issue with a home server. However one would hope that the data center is secure, in which case FileVault is of marginal usefulness anyway. In any case the workaround of using a small, unencrypted boot partition and putting everything of importance on an encrypted partition works fine.

Depends on what you find important. To me, Open Directory for example can be important and that would have to reside on the unencrypted boot partition.

Most likely, I will probably opt for a server rack and get one of those trays that supports 4 Mac Mini's.

If someone wants to take my Mac Mini (or data), they'd have to go through quite a bit of physical security first. And to do all that just to know my identity, financial records, and large iPhoto/iTunes library is probably not worth the effort - not until I push over 7 figure net-worth.