Skip to main content
Solved

Adding user to FileVault using fdesetup and recovery key

J
Forum|alt.badge.img+4

We have laptops that are encrypted with personal recovery keys that are escrowed in the JSS. I've had several users recently get locked out of their computer because their account somehow got dropped from being filevault-enabled. To re-enable them I'm running this on their machine:

sudo fdesetup add -usertoadd SAD_USER

After hitting enter, this is what happens in terminal:

Enter the user name:ADMIN_USER
Enter the password for user 'ADMIN_USER':
Enter the password for the added user 'SAD_USER':

If the ADMIN_USER is filevault-enabled, and I have SAD_USER's password, then it works. But I don't want to know SAD_USER's password. I want to use the personal recovery key, which I have. Pasting in the recovery key instead of the password results in an authentication error. In addition to making this work with the recovery key, I'd also like to be able to do it in one line, or somehow automate it. What am I missing here?

Best answer by jssmith

You can't add a user to Filevault without having their password. The recovery key can be used to unlock the disk and/or disable Filevault, but it's not tied to an individual user's credentials.

View original
    Z
    F
    2 people like this
    • Z
      zrodri
    • F
      Felix_Chrono24
    Did this topic help you find an answer to your question?

    5 replies

    J
    Forum|alt.badge.img+9
    • jssmith
    • New Contributor
    • 12 replies
    • Answer
    • January 3, 2018

    You can't add a user to Filevault without having their password. The recovery key can be used to unlock the disk and/or disable Filevault, but it's not tied to an individual user's credentials.

    B
    J
    T
    3 people like this
    • B
      Buraq
    • J
      jonathanwilson
    • T
      thatmp7
    J
    Forum|alt.badge.img+4
    • jonathanwilson
    • Author
    • New Contributor
    • 7 replies
    • January 4, 2018

    Thanks @justin.smith ! Now that I'm reading it, it seems obvious.

    J
    Forum|alt.badge.img+1
    • jim_pollard
    • New Contributor
    • 2 replies
    • January 11, 2019

    Next step, if you need to require a password change is:
    sudo pwpolicy -a YOURADMINNAME -u ACCOUNT_NAME -setpolicy "newPasswordRequired=1"

    I
    Forum|alt.badge.img+6
    • isThisThing0n
    • New Contributor
    • 67 replies
    • January 11, 2019

    As others said you need the password. You can pass it in as a parameter.

    The following will allow the fdesetup interactive prompt to ‘self populate’ itself;

    expect -c "
spawn fdesetup add -usertoadd $userName
expect "Enter the primary user name:"
send ${adminName}
expect "Enter the password for the user '$adminName':"
send ${adminPass}
expect "Enter the password for the added user '$userName':"
send ${userPass}
expect
    J
    1 person likes this
    • J
      jim_pollard
    J
    Forum|alt.badge.img
    • jonny_s_17
    • New Contributor
    • 1 reply
    • April 17, 2019

    I will add an User and i know his password. But instate an exciting User, I will use the institutional recoverykey.

    This is a cutout of the "fdesetup" man page: add -usertoadd added_username ... | -inputplist [-verbose] Adds additional FileVault users. A FileVault user password or recovery key must be used to authenticate.

    what is the command for that?

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings