You can use an institutional recovery key as a common way to unlock the encrypted drives of multiple devices within your organisation. This key needs to be generated before enabling FileVault.
- macOS 10.7 or higher
Steps to take
- Generate a FileVaultMaster keychain and certificate
- Deploy certificate to associated devices
- Use keychain to unlock an encrypted volume
Generate a FileVaultMaster keychain and certificate
When using FileVault 2 with an institutional recovery key, you will need to generate a (private) keychain file and (public) certificate file. This only needs to be done once, before deploying the certificate to multiple devices.
These files can be generated in two ways on a macOS device: by setting a master password or by using Terminal and Keychain Access.
Generate files by setting a master password
By setting a Master Password, a FileVaultMaster keychain and FileVaultMaster certificate will automatically be generated in the folder /Library/Keychains. You will need these files when deploying FileVault using an institutional key. Please note, that these files may already be present, for example when you already have a master password set on your device. In that case, please follow the steps as explained in the section ‘Generate files by using Terminal and Keychain Access’.
- Open Apple menu -> System Preferences, and click Users & Groups;
- Click on the padlock in the bottom left of the screen to unlock user settings and provide your password;
- Click on the service icon at the bottom of the user list, then select ‘Set Master Password’;
- Choose and verify a master password. Choose a password which you can remember, as you will need this password again when recovering data from an encrypted volume;
- In the folder /Library/Keychains/, two files will be generated: FileVaultMaster.keychain and FileVaultMaster.cer
The keychain file contains the generated public and private keys, and is protected by the master password that you just provided. You will need this file when recovering data from an encrypted volume. Make sure you store several copies of this keychain in secure locations, as without it, you will not be able to unlock the volume.
The certificate file contains only the public key, and will be deployed to the devices as institutional recovery key.
Generate files by using Terminal and Keychain Access
Create a FileVaultMaster keychain
- Open a Terminal window;
- Generate a new keychain, by running the command security create-filevaultmaster-keychain /[path]/FileVaultMaster.keychain
- When prompted, provide a password for the keychain. You will need this password later, when preparing the keychain for deployment or when using the keychain to unlock an encrypted volume;
- A new keychain is now created at the location you specified. When generating one using the master password, the FileVaultMaster keychain is usually stored in /Library/Keychains/. However, you will need root privileges for this and there may already be another FileVaultMaster keychain present;
- You will need your newly generated FileVaultMaster keychain when unlocking an encrypted volume. Please store several copies of this keychain in secure locations, to make sure you won’t lose it.
Prepare the keychain for distribution
The FileVaultMaster keychain contains a private and public key. This is a problem when the keychain file falls into wrong hands. Before you can deploy an institutional key, you’ll need to remove the private key from the keychain.
- Create another copy of the FileVaultMaster keychain. As you will remove the private key from this keychain, this copy can only be used for deployment;
- Open the Keychain Access application
- Import the FileVaultMaster keychain, by going to File -> Add Keychain… . Find your copy of the keychain and press the Add button;
- Select the FileVaultMaster keychain in the overview on the left-hand side of the application and unlock it with the padlock icon;
- If the keychain won’t unlock, try unlocking it using the Terminal, by running the command security unlock-keychain /[path]/FileVaultMaster.keychain . Enter the keychain’s password when prompted;
- In Keychain Access, double-click the FileVaultMaster keychain. You will see a certificate named FileVault Recovery Key;
- Expand this certificate and you’ll see that it contains a private key named ‘FileVault Master Password Key). Delete this private key;
- Select the FileVault Recovery Key certificate, now only containing the personal key, and go to File -> Export Items. Save the certificate as a .cer file.
Deploy certificate to associated devices
- In Jamf School, go to the profile in which you want to enable FileVault;
- In the Certificates tab, select your certificate and press ‘Upload new certificate’;
- In the FileVault tab, Enable FileVault and select either both the institutional and personal recovery key, or just the institutional recovery key as key type;
- In the Certificates dropdown menu, select your certificate. When the profile is saved, this certificate is sent to associated devices as institutional recovery key.
Use keychain to unlock an encrypted volume
- Put your original FileVaultMaster.keychain (the one with the private key in it) on an external drive or USB drive;
- Boot the device in recovery mode, by holding command-R when starting up;
- Plug in the drive with the FileVaultMaster keychain. In recovery mode, the drive should automatically mount, but you can also mount it using Disk Utility;
- Open a Terminal by going to Utilities -> Terminal;
- Unlock the keychain in the Terminal, by running the command
security unlock-keychain /Volumes/[nameofdrive]/[path]/FileVaultMaster.keychain . When prompted, enter the password you used when creating the keychain;
- Find the Logical Volume UUID of the encrypted drive, by running the command diskutil corestorage list
- Unlock the volume with diskutil corestorage unlockVolume [UUID] -recoveryKeyChain /Volumes[nameofdrive]/[path]/FileVaultMaster.keychain
- The volume should unlock and mount, you can now retrieve the files. Decrypting the disk is also possible, by running diskutil corestorage revert [UUID] -recoveryKeychain /Volumes/[nameofdrive]/[path]/FileVaultMaster.keychain