fdesetup, plists, and generating FV2 keychains

nkalister
Valued Contributor

Already asked Rich T about this on twitter, but I thought I'd post here as well . . .
I'm working on enabling filevault using the fdesetup command and a plist with a certificate embedded to create an institutional recovery key.
Normally when using an institutional recovery key, you start by creating a keychain in keychain access. During that process, you set the password on the FV2 master keychain, which then is supplied at the command line when the recovery key is used to decrypt the disk.
When using a plist with fdesetup, fdesetup creates the keychain from the embedded certificate in the plist. Since I didn't create the keychain, I don't know what password to use to unlock it. Anyone know what password is assigned to the FV2 master keychain when it's created by fdesetup?

1 ACCEPTED SOLUTION

rtrouton
Release Candidate Programs Tester

That password is randomly-generated when the keychain is created and it is not stored anywhere. That said, it doesn't matter that you don't have the password. The only thing in the FileVaultMaster.keychain file which is generated by fdesetup is the public key and the only thing this particular keychain will be used for is to encrypt a Mac with FileVault 2.

If you need to do recovery, you will need another keychain that has both the private and public keys inside. If you don't already have a keychain like that, you'll need to create one and then add both keys to it. In either scenario, you won't be using the FileVaultMaster.keychain file which is stored in the encrypted Mac's /Library/Keychains directory to do the unlocking or decryption.

View solution in original post

2 REPLIES 2

rtrouton
Release Candidate Programs Tester

That password is randomly-generated when the keychain is created and it is not stored anywhere. That said, it doesn't matter that you don't have the password. The only thing in the FileVaultMaster.keychain file which is generated by fdesetup is the public key and the only thing this particular keychain will be used for is to encrypt a Mac with FileVault 2.

If you need to do recovery, you will need another keychain that has both the private and public keys inside. If you don't already have a keychain like that, you'll need to create one and then add both keys to it. In either scenario, you won't be using the FileVaultMaster.keychain file which is stored in the encrypted Mac's /Library/Keychains directory to do the unlocking or decryption.

nkalister
Valued Contributor

ah, ok, that makes sense. thanks rich!