DeletingObsoleteRecoveryPassphrases

The Cauliflower Vest team doesn’t feel there is a strong need to delete obsolete recovery passphrases for the following reasons:

• The Cauliflower Vest client retrieves recovery passphrases based on the Logical Volume UUID of the FileVault 2 encrypted volume, which is unique to each encryption instance. Therefore, a single hard drive can be encrypted multiple times, and the Cauliflower Vest will not get confused with the various different recovery passphrases associated with a single Mac or physical disk.
• If a FileVault 2 encrypted volume is reverted or re-imaged, its recovery passphrase poses no security risk for that or other machines.
• App Engine Datastore scales entity indexes seamlessly. There’s no need to worry about extra rows stored in the database.

Knowing that, if you’d still prefer your Cauliflower Vest server only contains passphrases of active Macs, you can manually delete obsolete recovery passphrases. To do this:

1. Click your Cauliflower Vest instance in the list of “My Applications” on the App Engine landing page.
2. Click Datastore Viewer under the Data section of the menu on the left side of the page.
3. Locate the fieldset labeled Query, and select FileVaultVolume in the select labeled By kind. Wait for the page to reload.
4. Browse to locate the Volume UUID of the obsolete passphrase you wish to delete, and select the checkbox next to the entity once you locate it.
5. Click the Delete button at the bottom of the list.

Instead of browsing, you may wish to perform a GQL Query to locate a particular host. You can filter the FileVaultVolume entities by any of the metadata uploaded by the Cauliflower Vest, including the Volume UUID, hostname, owner username, or serial number of the Mac, user who performed the escrow, or more. To do this, click Options in the Query fieldset, select the By GQL checkbox, form your own GQL Query and click the Run Query button.