MacOS X and FileVault Recovery
When Apple’s FileVault home directory encryption is used in conjunction with Active Directory integration – or with any other sort of directory integration – some pretty nasty problems can result, if you’re not careful.
The basic problem is that FileVault derives its encryption keys from the user’s password, and it captures the password from the LoginWindow.
Upside: you can use FileVault regardless of the type of authentication your account uses, provided it’s password-based authentication.
Downside: if your password changes while your Mac isn’t looking, FileVault becomes desynchronized and your user can never login again.
Apple doesn’t seem to acknowledge the possibility of this happening anywhere in their documentation; it’s clear to me that they haven’t even considered this use case! I suspect it’s because FileVault targets consumers, and directory integration targets businesses.
Happily, it turns out that there is a way to re-sync your FileVault password using some command line magic.
First, log into the system as someone who can sudo. Find the home directory of the locked-out user; it should contain a .sparseimage file which is an encrypted FileVault image.
Issue the following command:
sudo hdiutil chpass <encrypted_image_file> -newstdinpass
This will prompt you for a new password using the console, and then prompt you for the old password using a dialog box.
As the old password, use the old Active Directory password. As the new password, use the new Active Directory password.
Once the image’s password is changed, the user should be able to login again.