FileVault 2 Institutional Recovery Key usage

Hey @bearzooka - Did you ever get this resolved? I'm running into the exact same issue.

Wow, great post. Thank you for writing out all of that.

i was able to unlock it but my drive is APFS not sure how to revert it

Dude, @bearzooka amazing instructions! Thanks to you I was successfully able to decrypt a drive that we lost the password to. Thanks so much for taking the time to write this out.

As an adendum to the previous process, it's important to mention that it works with HFS drives; however, for APFS it's necessary to go as follows:
(STEPS 1 - 7 are the same)
1. Download the Institutional Recovery Key from the FileVault 2 section of the Management tab of any machine’s inventory page. The key will be the same for all machines that were encrypted using the same JSS policy. The downloaded file will be called RecoveryKey.p12 and has a password that was set when the policy was created.
2. Open the Keychain Access application and then select File > New Keychain…
3. You will be asked for a name and a path for this element. It’s recommended to use a simple name and place it on the Desktop.
4. You will be asked to set a password for this Keychain. It’s recommended to use a simple password that you can share with the IT personnel that will be involved in decrypting the affected machine.
5. Drag the RecoveryKey.p12 file into the main pane of the Keychain Access application, making sure that the keychain that you just created is selected. As soon as you drop the file you will be prompted for the password that opens the p12 file.
6. Then, you will be asked for the password you set for the keychain (step 4) and afterwards, the items of the p12 file will be visible inside the keychain.
7. Move the keychain item you just created from the desktop into a USB drive that you will use to unlock the locked machine and after making sure it was copied, delete it and the p12 file from your hard drive in a secure way.
8. Inside the recovery mode open the Terminal from the Utilities menu and use the following command to obtain the UUID of the locked volume:

diskutil apfs list

9. This command will provide a list of all the logical volumes available. Locate the volume that is marked as locked, select and copy its identifier. In the case of the image, disk2s1
10.Insert the USB that contains the Recovery Keychain and locate the path of the USB inside the Volumes folder
11. Unlock the Recovery Keychain using the following command, with the appropriate path to your USB drive and keychain file

security unlock-keychain /Volumes/My USB/FileVaultRecovery.keychain

12. You will be asked for a password, this is the one you set while creating the recovery keychain on step 4.
13. With the Recovery Keychain unlocked, use the following command to unlock the drive, replacing the disk ID for your own (step 9) and the path to your keychain in the USB

diskutil apfs unlockVolume /dev/apfs_volume_id_here -recoverykeychain /path/to/YourKeychain.keychain

14. If the keychain was properly unlocked and the UUID matches a locked volume, you will see a progress bar and then a success message.
15. Once the volume is unlocked, it is already mounted inside /Volumes with its original label. You can now use the Terminal to navigate it and recover information, for example by copying to the mounted USB drive, using tools such as rsync or mounting a network drive and doing a remote copy.
16. At this point, it is possible to fully remove FileVault 2 and bring back the machine to its state before encryption. To do this, first unlock the volume (with the previous command) and then issue the following command, using the appropriate ID

diskutil apfs decryptVolume /dev/apfs_volume_id_here

17. You’ll see a success message and after a reboot you will be presented with the standard login screen

woohooo!!! this works!!!! Thank you!!!

Thank you for these excellent instructions, @bearzooka!

Though does anyone have any idea how to address step 8 of the APFS instructions if you can't get to Terminal in Recovery Mode? On a test laptop, no matter what I try when booting into recovery mode, it prompts for a user's password, and failing a password, it wants the individual recovery key. This limitation prevents access to Terminal from the Utilities. Is there something I am missing? Additionally, is this happening because I set both an individual key and an institutional key?

Need help with recovery... Anyone know hot to resolve this error?

ELUO88:~ eluo$ diskutil apfs unlockVolume disk4s1 -recoverykeychain ~/Desktop/FileVaultRecovery.keychain 
Unlocking the institutional recovery cryptographic user on APFS Volume disk4s1
Error unlocking APFS Volume: Couldn't rediscover disk after operation (-69822)

Above works fine with another institutional encrypted drive. One big difference is that this drive with the error is a 2 TB drive.

I got it to decrypt using a computer running macOS 10.14 (the same OS as the problem computer), connected via Thunderbolt cable in Target Disk mode.
The above error message came from a host computer running macOS 11.4.
:)

Yeah same issue, you can't access the terminal, it just says "This volume has no admin users to authenticate..."

When attempting to unlock via Target Disk Mode we get the following error, any ideas?