Adding user to FileVault using fdesetup and recovery key

jonathanwilson
New Contributor II

We have laptops that are encrypted with personal recovery keys that are escrowed in the JSS. I've had several users recently get locked out of their computer because their account somehow got dropped from being filevault-enabled. To re-enable them I'm running this on their machine:

sudo fdesetup add -usertoadd SAD_USER

After hitting enter, this is what happens in terminal:

Enter the user name:ADMIN_USER
Enter the password for user 'ADMIN_USER':
Enter the password for the added user 'SAD_USER':

If the ADMIN_USER is filevault-enabled, and I have SAD_USER's password, then it works. But I don't want to know SAD_USER's password. I want to use the personal recovery key, which I have. Pasting in the recovery key instead of the password results in an authentication error. In addition to making this work with the recovery key, I'd also like to be able to do it in one line, or somehow automate it. What am I missing here?

1 ACCEPTED SOLUTION

jssmith
New Contributor III

You can't add a user to Filevault without having their password. The recovery key can be used to unlock the disk and/or disable Filevault, but it's not tied to an individual user's credentials.

View solution in original post

5 REPLIES 5

jssmith
New Contributor III

You can't add a user to Filevault without having their password. The recovery key can be used to unlock the disk and/or disable Filevault, but it's not tied to an individual user's credentials.

jonathanwilson
New Contributor II

Thanks @justin.smith ! Now that I'm reading it, it seems obvious.

jim_pollard
New Contributor

Next step, if you need to require a password change is:
sudo pwpolicy -a YOURADMINNAME -u ACCOUNT_NAME -setpolicy "newPasswordRequired=1"

isThisThing0n
Contributor

As others said you need the password. You can pass it in as a parameter.

The following will allow the fdesetup interactive prompt to ‘self populate’ itself;

expect -c "
spawn fdesetup add -usertoadd $userName
expect "Enter the primary user name:"
send ${adminName}
expect "Enter the password for the user '$adminName':"
send ${adminPass}
expect "Enter the password for the added user '$userName':"
send ${userPass}
expect

jonny_s_17
New Contributor

I will add an User and i know his password. But instate an exciting User, I will use the institutional recoverykey.

This is a cutout of the "fdesetup" man page: add -usertoadd added_username ... | -inputplist [-verbose] Adds additional FileVault users. A FileVault user password or recovery key must be used to authenticate.

what is the command for that?