Public | Automated Build

Last pushed: a month ago
Short Description
The dev builds of crypt - do not use, use macadmins/crypt-server
Full Description


Crypt is a system for centrally storing FileVault 2 recovery keys. It is made up of a client app, and a Django web app for storing the keys.

This Docker image contains the fully configured Crypt Django web app. A default admin user has been preconfigured, use admin/password to login.
If you intend on using the server for anything semi-serious it is a good idea to change the password or add a new admin user and delete the default one.

Changes in this version

  • 10.7 is no longer supported.
  • Improved logging on errors.
  • Improved user feedback during long operations (such as enabling FileVault).


The client is written in Pyobjc, and makes use of the built in fdesetup on OS X 10.8 and higher. An example login hook is provided to see how this could be implemented in your organisation.


  • If escrow fails for some reason, the recovery key is stored on disk and a Launch Daemon will attempt to escrow the key periodically.
  • If the app cannot contact the server, it can optionally quit.
  • If FileVault is already enabled, the app will quit.

Installation instructions

It is recommended that you use Docker to run this, but if you wish to run directly on a host, installation instructions are over on the in the docs directory


  • SEND_EMAIL - Crypt Server can send email notifcations when secrets are requested and approved. Set SEND_EMAIL to True, and set HOST_NAME to your server's host and URL scheme (e.g. For configuring your email settings, see the Django documentation.

  • APPROVE_OWN - By default, users with approval permissons can approve their own key requests. By setting this to False in (or by using the DOCKER_CRYPT_APPROVE_OWN environment variable with Docker), users cannot approve their own requests.

  • ALL_APPROVE - By default, users need to be explicitly given approval permissions to approve key retrieval requests. By setting this to True in (or by using the DOCKER_CRYPT_ALL_APPROVE environment variable with Docker), all users are given this permission when they log in.

  • ROTATE_VIEWED_SECRETS - With a compatible client (such as Crypt 3.2.0 and greater), Crypt Server can instruct the client to rotate the secret and re-escrow it when the secret has been viewed. Enable by setting this to True or by using DOCKER_CRYPT_ROTATE_VIEWED_SECRETS and setting to true.

New features in latest release

  • Records Bonjour Name of Macs submitting keys
  • Introduces the can_approve permission - users must have this permission to authorise key retrieval
  • Key retrievals are logged


  • Email user when their request is approved or denied
  • Move 7 day allowance into so it can be changed


Main Page:

User Computer Info:

Admin Computer Info:

User Key Request:

Manage Requests:

Approve Request:

Key Retrieval:

Docker Pull Command
Source Repository