Encryption Recovery Keys Missing - Casper 9.2 Update

spotter
New Contributor III

After updating our current JSS from 8.71 to 9.2 I have noticed the following:
** Individual Recovery Key Validation:Unknown
** Institutional Recovery Key:Not Present

Before the upgrade these fields populated correctly.

Has anyone else experienced this?
Any clue on how to make these keys be available again?

Thanks in advance....

9 REPLIES 9

mm2270
Legendary Contributor III

Ouch! Are you seeing this on any and all Macs that should have FV2 Recovery Keys? Or just on certain ones?

If its happening on a lot of them, I'd get on a call with JAMF ASAP about it.

As for getting them back, if they are simply not getting correctly represented in the db due to a permissions issue or something like that, and JAMF can help you, you may be OK. If they are in fact gone, I'm sorry to say it, but your only recourse may be to decrypted and re-encrypt those Macs to recapture a new key. The Recovery Key isn't stored anywhere on the system to grab it again, due to security reasons. It gets picked up in an xml file generated by the Casper Suite disk encryption process, but once its sucked up into the db, the xml file is deleted.

spotter
New Contributor III

I was hoping the response wouldn't be that (let me find a window to jump out of)... and yes I'm seeing it all all devices....

mm2270
Legendary Contributor III

Don't jump out of any windows just yet. :)

First, get a case open with your JAMF account manager right away if you haven't done so already.
Second, you do have a good backup of your previous 8.71 database, right? Right?
I'm going to assume yes and if so, JAMF may be able to work with you to re-do the upgrade and get the keys in. Its possible the table where the keys were stored simply didn't make it over correctly in the upgrade.

Lastly, did you happen to use both an Individual and Institutional Recovery key setup? If so, if it turns out you really do need to redo the encryption process, you at least have an additional method for emergency decryption if needed. Its more work with the Institutional key, but its something. If you only have Individual keys set up, well, then just hope that no-one forgets their password.

The important thing is, don't try to solve this on your own. Get with your TAM as soon as possible.

bethk
Community Manager
Community Manager

The FileVault Recovery Keys have been moved in version 9. They are now stored in the Management section of the computer inventory, within the FileVault 2 tab.

Please contact your Account Manager if they do not display there.

donmontalvo
Esteemed Contributor II

Did you drop the jamfsoftware database before upgrading? ;)

IOW, backup, drop database, upgrade, import database.

--
https://donmontalvo.com

scafide
Community Manager
Community Manager

Potter,

If you're a full admin in your JSS, let's click on System Settings>>Accounts and Groups>>Click On Your Account>>Edit>>Privileges and grant yourself full privileges. Let's then log out and back into the JSS.

Thanks!

Mike

spotter
New Contributor III

@mm2270 - Thanks for the advice

Don't jump out of any windows just yet. :)

I rebuilt my test JSS from one of the several "backups" before the upgrade. ran through the upgrade process and my keys are there... I should be able to move the upgraded database over to my production JSS right?

mm2270
Legendary Contributor III

@Potter I don't feel comfortable answering that question for you, since I don't know anything about your environment, server setup and OS, etc. Too many variables to account for and things that could go wrong. I'd advise you to get with JAMF support if you need the assistance. That's part of what your account manager is there for, especially since your first upgrade attempt didn't really go according to plan.

Hope that helps.

tkimpton
Valued Contributor II

Thankfully I'm using Sophos SafeGuard ;) (smiling to the cheeky bugger that mocked me)