Centrify DirectControl for Mac on OS X 10.7 and higherQuestion:
On pg68 of the Centrify Admin Guide for Mac
; the one of the requirements for enabling FileVault via Centrify is that FileVault is not already enabled on the system:
FileVault 2 must not be enabled on the Mac OS X computer (through the Security & Privacy System Preference). If it is already configured, configuring FileVault 2 through Centrify User Suite will have no effect.
If FileVault is currently already enabled, then it needs to be completely disabled first before the institutional key can be used instead. This means that the disk needs to be decrypted first.
Can the keys be swapped over without having to fully decrypt and re-encrypt FileVault?Answer:Note:
- For systems on OS X 10.9 and higher, Apple introduced a new option into the FileVault command line to allow the institutional key to be installed without the need to decrypt the disk first. Please see the following KB for steps on how to do this:
For OS X versions 10.8 and below, the information below still applies.
The reason why the FileVault needs to be completely disabled and re-enabled when switching keys is because the encryption process is directly tied into the key itself.
FileVault should not be thought of like a literal vault of data with a padlock (the encryption "key") on the door - this would imply that the padlock can be simply swapped for another one without touching the data itself.
Since Apple FileVault is a full-disk encryption solution - during that initial encryption process - the key is "mixed in" with the data specifically to prevent it from being so easily extracted - for maximum security.
This is why if FileVault is already in use and it is needed to switch to a centrally-managed environment - it needs to fully decrypt and then re-encrypt the data with the new key.