Encrypt using AD Credentials?

Discussion in 'Mac OS X Lion (10.7)' started by inflxx-support, Feb 7, 2012.

  1. inflxx-support macrumors newbie

    Oct 5, 2011
    I was wondering if this is possible? We would like to encrypt all of our macbook pros but want to encrypt using our AD credentials not local user account.

    Any help would be appreciated.

  2. haravikk macrumors 65816

    May 1, 2005
    If you encrypt your startup volume, then decryption occurs before the normal login screen, and requires a local account in order to get at the volume's encryption key. This could however be done by providing a single local account for the purposes of decryption only. Once decrypted, the user can login normally.

    If you encrypt other disks, then when you login you will receive a prompt asking for the password to these so that CoreStorage can unlock them. At this point the key (once entered) can be stored in a Keychain which, for the paranoid, can have its own password, auto-lock settings etc. as desired.

    To encrypt drives other than your Time Machine disk, you have to use the Terminal via the diskutil command, the section you want is the coreStorage/cs commands, these allow you to convert a disk to CoreStorage (may have to erase it in the process) and set any encryption key you like. I dunno if there are any good GUI's for it, Disk Utility is supposed to be able to do it for you but I couldn't get it to work on some disks, and those that did had to be erased (which the terminal command can sometimes avoid), it also has a buggy password field which makes it difficult to set a decently secure password such as a randomly generated one.

    Personally I'd recommend leaving the startup volume unencrypted and only keep the OS on it, then create a separate partition for encrypted data, this way you can just store its key in your keychain. An OS-only volume should be perfectly safe to leave unencrypted in terms of its data content, unless you're scared about someone accessing the machine to tamper with the OS in which case encrypting it is probably a good idea, and can be done with a single local user account.
  3. calderone macrumors 68040


    Aug 28, 2009
    Directory accounts are supported for decryption.
  4. haravikk macrumors 65816

    May 1, 2005
    Oh, hrm… I tried that but couldn't get it to work, suppose I just assumed it needed a normal account. Nevermind that part then.

Share This Page