10.8 Server with FileVault

Discussion in 'Mac OS X Server, Xserve, and Networking' started by unplugme71, Aug 11, 2013.

  1. macrumors 68020

    Joined:
    May 20, 2011
    Location:
    Earth
    #1
    I have a Mac Mini running 10.8.4 Server and I'm interested in turning FileVault on.

    On a server without filevault, I can restart the computer remotely and after the computer boots up, it goes to the login window. Meanwhile, the server OS is up and running and allows for services to be used. With filevault, does the OS not boot up until you login? So how can one use the server with FileVault being headless? Or is it not possible to use File Vault on servers?
     
  2. macrumors P6

    Weaselboy

    Joined:
    Jan 23, 2005
    #2
    I have not used FV with Server, but I do use FV on Mountain Lion client and when you boot and get the login screen you are actually at that point only running off a boot stub on the recovery partition and the entire OS partition is still locked. So I am going to say you can't do what you are asking with FV on.
     
  3. macrumors regular

    Joined:
    Feb 7, 2013
    #3
    Although i haven't tested this myself, i'm going to agree. From what i can tell FV requires a password to finish the boot process, which wont work for a headless system unless you have an XServe with LOM.
     
  4. thread starter macrumors 68020

    Joined:
    May 20, 2011
    Location:
    Earth
    #4
    That's what I figured. I guess the assumption is the Mac Mini running a Server OS would be located in a physically secure location.
     
  5. macrumors 601

    talmy

    Joined:
    Oct 26, 2009
    Location:
    Oregon
    #5
    I solved this problem by having a system boot partition without FileVault and having a second partition that is encrypted. I don't keep anything sensitive on the unencrypted partition. I admit that I don't know how to move the databases for Contact and Calendar servers off of this partition, but I don't consider that data sensitive. I haven't tested to see if the encrypted drives are accessible before I log in since I always need to log in after power up to run services that aren't really services.
     
  6. thread starter macrumors 68020

    Joined:
    May 20, 2011
    Location:
    Earth
    #6
    I ended up just putting a firmware password on the mac mini server. The login passwords were strengthened some more. My external drive that connects to the mini just hosts iTunes and iPhoto libraries, so there's nothing extremely important anyway.

    I'm just trying to think of better ways to manage a home network with server. The one thing I like about PHD is the ability to sync my HomeDir with any of the Macs I log onto. However, since this data is not encrypted on the Mini server, I'm starting to wonder if the benefit outweighs the security risk.
     
  7. macrumors 6502a

    Joined:
    Nov 13, 2008
    #7
    it is not recommended to have filevault turned on for your OS X server.
    any user who connects to the server, that data will be encrypted unless theyre on FTP.

    I'd highly recommend going through the server essentials guide and the 10.8 Server Admin page on Apple.com. good resources there to help secure your server.
     
  8. macrumors 6502a

    Joined:
    Jul 13, 2011
    Location:
    Mississippi
    #8
  9. macrumors newbie

    Joined:
    Jul 3, 2011
    #9
    There's a special reboot command for this particular case, details here:

    http://blog.macminicolo.net/post/32419058726/restart-a-remote-mac-that-is-running-filevault-2
     
  10. macrumors 601

    talmy

    Joined:
    Oct 26, 2009
    Location:
    Oregon
    #10
  11. thread starter macrumors 68020

    Joined:
    May 20, 2011
    Location:
    Earth
    #11
    Yup. Even if the 'restart after power failure' option is enabled. You are still screwed. Luckily with a mac mini server in a data center, you should have a better chance at winning the lottery than losing power. At least you'd hope so.
     
  12. macrumors 601

    talmy

    Joined:
    Oct 26, 2009
    Location:
    Oregon
    #12
    The only reason to use FileVault is physical security, an issue with a home server. However one would hope that the data center is secure, in which case FileVault is of marginal usefulness anyway. In any case the workaround of using a small, unencrypted boot partition and putting everything of importance on an encrypted partition works fine.
     
  13. thread starter macrumors 68020

    Joined:
    May 20, 2011
    Location:
    Earth
    #13
    Depends on what you find important. To me, Open Directory for example can be important and that would have to reside on the unencrypted boot partition.

    Most likely, I will probably opt for a server rack and get one of those trays that supports 4 Mac Mini's.

    If someone wants to take my Mac Mini (or data), they'd have to go through quite a bit of physical security first. And to do all that just to know my identity, financial records, and large iPhoto/iTunes library is probably not worth the effort - not until I push over 7 figure net-worth.
     

Share This Page