Publishers of technology books, eBooks, and videos for creative people

Home > Articles > Apple > Operating Systems

  • Print
  • + Share This
From the author of

Creating an Institutional Recovery Key

If you want to use an institutional recovery key on a Mac encrypted with FileVault 2, you need to create and configure a FileVaultMaster keychain. Apple has provided a way to create this keychain by using the security command's create-filevaultmaster-keychain function. To create a FileVaultMaster.keychain file, run the following command in the Terminal:

security create-filevaultmaster-keychain /path/to/FileVaultMaster.keychain

You'll be prompted for a password for the keychain; then the keychain will be created, containing both the private and public keys needed for recovering a FileVault 2–encrypted drive that uses this institutional recovery key (see Figure 13).

Figure 13

Figure 13 Using security create-filevaultmaster-keychain to create an institutional recovery key.

If you want to create the FileVaultMaster keychain in its proper place, run the security command with root privileges and use /Library/Keychains for the destination path (see Figure 14).

Figure 14

Figure 14 Running security create-filevaultmaster-keychain with root privileges to create an institutional recovery key in /Library/Keychains.

Once you've made your copies, make another copy and remove the private key from that copy of the keychain. Once the private key is removed, the FileVaultMaster.keychain file is ready to be used for encrypting Macs with FileVault 2, using the institutional recovery key.

The security main page doesn't appear to include information about the create-filevaultmaster-keychain function, but you can see what it does by running the security help command in the Terminal and checking at the bottom of the list that appears (see Figure 15).

Figure 15

Figure 15 Using security help to display information about the security tool's create-filevaultmaster-keychain function.

The following steps modify the /Library/Keychains/FileVaultMaster.keychain so that it contains only the public key:

  1. Using the security command, create the FileVaultMaster.keychain file.
  2. Make several copies of the FileVaultMaster.keychain file that you just created, and store the copies separately in secure locations. A locked safe would be a good place, or in an encrypted disk image on an access-restricted file share.
  3. Unlock the newly created FileVaultMaster.keychain file by running the following command:

    security unlock-keychain /Library/Keychains/FileVaultMaster.keychain

    Enter the keychain's password when prompted, as shown in Figure 16:

    Figure 16

    Figure 16 Using the security tool's unlock-keychain function to unlock the FileVaultMaster keychain for editing.

  4. If the command in step 3 succeeds, you'll get the next system prompt. If the command fails, get another copy of the FileVaultMaster.keychain file from step 2 and try again.

  5. Once you've unlocked the FileVaultMaster.keychain file, open the Keychain Access application from /Applications/Utilities/ (see Figure 17).

    Figure 17

    Figure 17 Looking at the Keychain Access application prior to adding FileVaultMaster.keychain.

  6. In Keychain Access, go to File > Add Keychain and add /Library/Keychains/FileVaultMaster.keychain (see Figure 18).

    Figure 18

    Figure 18 Selecting the FileVaultMaster.keychain file in Keychain Access.

    Assuming that you previously unlocked the FileVaultMaster.keychain file by using the security command, it should show as unlocked in Keychain Access.

  7. Open the FileVaultMaster keychain and remove the private key. It should be called FileVault Master Password Key, and its kind should be listed as private key (see Figure 19).

    Figure 19

    Figure 19 The FileVaultMaster keychain's private key in Keychain Access.

  8. Confirm the deletion (see Figure 20). Figure 21 shows the revised keychain, containing only the public key.

    Figure 20

    Figure 20 Removing the private key from the FileVaultMaster keychain in Keychain Access.

    Figure 21

    Figure 21 How the FileVaultMaster keychain should look with only the public key inside.

  9. Relock the FileVaultMaster keychain.
  10. Copy the modified FileVaultMaster.keychain file (now with only the public key inside) to the /Library/Keychainsdirectory of the Macs you want to encrypt with FileVault 2. For ease of deployment, you can package the FileVaultMaster.keychain file into an installer package. That installer package can then be deployed ahead of encryption to multiple machines, using the system management tools in your environment.

    When deployed to /Library/Keychains on the Macs you want to encrypt with FileVault 2, the FileVaultMaster.keychain file should have the following permissions set:

    Owner: root

    Permissions: read and write

    Group: wheel

    Permissions: read only


    Permissions: read-only

    Once the institutional recovery key is deployed to an unencrypted machine, enabling FileVault 2 via System Preferences should produce a message instead of displaying the personal recovery key (see Figure 22).

    Figure 22

    Figure 22 Message indicating that a properly configured FileVaultMaster.keychain is being used as an institutional recovery key.

Once encryption begins, the following message should be displayed in the FileVault preference pane (see Figure 23):

A recovery key has been set by your company, school or institution

Figure 23

Figure 23 FileVault 2 encrypting the boot drive using an institutional recovery key.

  • + Share This
  • 🔖 Save To Your Account