- Password Changes and FileVault 2
- The Guest User and FileVault 2
- Enabling Admin Users for FileVault 2 via System Preferences
- Creating an Institutional Recovery Key
- Erasing a FileVault 2?Encrypted Volume from the Command Line
- Setting a Text-Only Login Banner from the Command Line for the FileVault 2 Pre-Boot Login Screen
- Booting into Single-User Mode on a FileVault 2?Encrypted Mac
- Using Apple's Internet Recovery to Unlock or Decrypt a FileVault 2?Encrypted Boot Drive
- FileVault 2 and UUIDs
- Automating fdesetup authrestart in 10.9.x or Later
Creating an Institutional Recovery Key
If you want to use an institutional recovery key on a Mac encrypted with FileVault 2, you need to create and configure a FileVaultMaster keychain. Apple has provided a way to create this keychain by using the security command's create-filevaultmaster-keychain function. To create a FileVaultMaster.keychain file, run the following command in the Terminal:
security create-filevaultmaster-keychain /path/to/FileVaultMaster.keychain
You'll be prompted for a password for the keychain; then the keychain will be created, containing both the private and public keys needed for recovering a FileVault 2–encrypted drive that uses this institutional recovery key (see Figure 13).
Figure 13 Using security create-filevaultmaster-keychain to create an institutional recovery key.
If you want to create the FileVaultMaster keychain in its proper place, run the security command with root privileges and use /Library/Keychains for the destination path (see Figure 14).
Figure 14 Running security create-filevaultmaster-keychain with root privileges to create an institutional recovery key in /Library/Keychains.
Once you've made your copies, make another copy and remove the private key from that copy of the keychain. Once the private key is removed, the FileVaultMaster.keychain file is ready to be used for encrypting Macs with FileVault 2, using the institutional recovery key.
The security main page doesn't appear to include information about the create-filevaultmaster-keychain function, but you can see what it does by running the security help command in the Terminal and checking at the bottom of the list that appears (see Figure 15).
Figure 15 Using security help to display information about the security tool's create-filevaultmaster-keychain function.
The following steps modify the /Library/Keychains/FileVaultMaster.keychain so that it contains only the public key:
- Using the security command, create the FileVaultMaster.keychain file.
- Make several copies of the FileVaultMaster.keychain file that you just created, and store the copies separately in secure locations. A locked safe would be a good place, or in an encrypted disk image on an access-restricted file share.
Unlock the newly created FileVaultMaster.keychain file by running the following command:
security unlock-keychain /Library/Keychains/FileVaultMaster.keychain
Enter the keychain's password when prompted, as shown in Figure 16:
Figure 16 Using the security tool's unlock-keychain function to unlock the FileVaultMaster keychain for editing.
If the command in step 3 succeeds, you'll get the next system prompt. If the command fails, get another copy of the FileVaultMaster.keychain file from step 2 and try again.
Once you've unlocked the FileVaultMaster.keychain file, open the Keychain Access application from /Applications/Utilities/ (see Figure 17).
Figure 17 Looking at the Keychain Access application prior to adding FileVaultMaster.keychain.
In Keychain Access, go to File > Add Keychain and add /Library/Keychains/FileVaultMaster.keychain (see Figure 18).
Figure 18 Selecting the FileVaultMaster.keychain file in Keychain Access.
Assuming that you previously unlocked the FileVaultMaster.keychain file by using the security command, it should show as unlocked in Keychain Access.
Open the FileVaultMaster keychain and remove the private key. It should be called FileVault Master Password Key, and its kind should be listed as private key (see Figure 19).
Figure 19 The FileVaultMaster keychain's private key in Keychain Access.
Figure 20 Removing the private key from the FileVaultMaster keychain in Keychain Access.
Figure 21 How the FileVaultMaster keychain should look with only the public key inside.
- Relock the FileVaultMaster keychain.
Copy the modified FileVaultMaster.keychain file (now with only the public key inside) to the /Library/Keychainsdirectory of the Macs you want to encrypt with FileVault 2. For ease of deployment, you can package the FileVaultMaster.keychain file into an installer package. That installer package can then be deployed ahead of encryption to multiple machines, using the system management tools in your environment.
When deployed to /Library/Keychains on the Macs you want to encrypt with FileVault 2, the FileVaultMaster.keychain file should have the following permissions set:
Permissions: read and write
Permissions: read only
Once the institutional recovery key is deployed to an unencrypted machine, enabling FileVault 2 via System Preferences should produce a message instead of displaying the personal recovery key (see Figure 22).
Figure 22 Message indicating that a properly configured FileVaultMaster.keychain is being used as an institutional recovery key.
Once encryption begins, the following message should be displayed in the FileVault preference pane (see Figure 23):
A recovery key has been set by your company, school or institution
Figure 23 FileVault 2 encrypting the boot drive using an institutional recovery key.