Filevault 2 Institutional Recovery Key not working

@rtrouton Thanks for that link! I knew that there were differences between the PRKs and IRKs but could not find a good resource on what those differences were. Apple's documentation does not really detail the differences between the two.

@rtrouton

I am familiar with the Documentation you mentioned to @monosodium to read through when trying to unlock an Encrypted Disk using an Institutional Key. But I am getting stuck at the beginning.
Where I am stuck is this line:

security unlock-keychain /path/to/FileVaultMaster.keychain

What is the path to my KeyChain? The drive is not mounted so you can 'see' the OSX Volume. The only /Library/Keychains folder is part of the Recovery partition and does not contain the .keychain file needed.

I am hoping Im missing something really simple.

Cheers
Ashley

@pueo I am 99% sure that what he is referring to is when you generate a new Master FileVault keychain, it has both the public and private keys inside it. You make a copy of the master filevault keychain file and then remove the private key so only the public key is in there. This copy of the keychain without the private key inside it is what is actually uploaded to the JSS and used to encrypt the machine.

When he is referencing

security unlock-keychain /path/to/FileVaultMaster.keychain,

he actually means the original version of the FilevaultMaster.keychain with the public AND private key you originally generated, so wherever you would have a copy of that like a USB key.

In the rare instances we have had to use our institutional key, we have the complete key only in a few secure places, we then copy it to a USB drive and then while booted from the recovery partition, unlock the full keychain file that is on the USB/thumb drive and then use it to unlock the drive.

@chriscollins

Uh makes more sense now. I'll give it a try.

Thanks.
a.

Moved to new discussion.