MacOS PKI Integration with FileVault

Turn on FileVault.

1. Click Apple menu > System Preferences.
2. Click Security & Privacy.
3. Click the FileVault tab.
4. Click the lock to enable changes.
5. Enter your PIN and click Unlock.
6. Click Turn on FileVault.
7. Enter your credentials and click Unlock.
8. Choose whether to Create a Recovery Key or Setup the iCloud account.
   If a Recovery Key is created, save it in a safe place.

M1 Filevault Operation

With the smart card plugged in, starting the device will take you straight to the Login screen where you can enter your PIN to access the system. Unlocking the PC will be exactly the same.

Apple File System (APFS) FileVault encryption is not compatible with smart cards on Intel Macs. When turning on a system where FileVault was enabled, local users who were initialized with a secure token (unrelated to smart cards) will be prompted for their password to unlock the disk. By default, this password will also be used to open the session. Below are two ways to change this behavior.

Basic Setup

This method allows your environment to utilize a Local User password for FileVault while forcing the use of a smart card at login. This disallows the passthrough of the password from pre-boot authentication to login.

Defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES

Advanced Setup

Alternatively, you can set up a local user account that does not have access to login at the Login Window. This will enforce that all users who attempt to log into the Mac be forced to use their Smart card for authentication at the Login Window. The FileVault enabled user will not have any capabilities outside of FileVault authentication screen.

1. Set up a local user account that is FileVault enabled
2. Use the following command to disallow that user from logging into the system, only to be used to unlock FileVault:

dscl . -append /Users/username AuthenticationAuthority “;DisabledUser;”

1. Use the following command to disallow any local admin account that has Smart card paired to be used to unlock FileVault:

fdesetup remove -user username

Smart Card-Only Authentication with Secure Shell Daemon (SSHD)

Users can use their smart card to authenticate over SSH to the local computer or to remote onto computers that are correctly configured. Follow these steps to configure SSHD on a computer so that it supports smart card authentication.

1. Use the following command to back up the sshd_config file:
   sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup_`date “+%Y-%m-%d_%H:%M”`
2. In the sshd_configfile, change the following:
   • Change “#ChallengeResponseAuthentication yes” to “ChallengeResponseAuthentication no”.
   • Change “#PasswordAuthentication yes” to “PasswordAuthentication no”.
3. Add the following line:
   “PKCS11Provider=/usr/lib/sshkeychain.dylib.”
4. Restart SSHD:
   sudo launchctl stop com.openssh.sshd
   sudo launchctl start com.openssh.sshd
5. To allow a user to authenticate with their card to your system, export the public key from their smart card:
   ssh-keygen -D /usr/lib/ssh-keychain.dylib
6. Add the public key from the previous step to the ~/.ssh/authorized_keys file on your computer.
7. If the user wants to, they can also use the following command to add the private key to their ssh-agent:
   ssh-add -s /usr/lib/ssh-keychain.dylib