Filevault 2 Institutional Recovery Key not working

monosodium
Contributor

Hello all,

I feel like I am just missing something here, but I am testing out the option to deploy filevault to our employees at my University. I want to make sure we have a clear method for data recovery should the user forget their password and/or our management account is not filevault-enabled.

I set up a policy to enable Filevault, made an institutional key and uploaded it to Casper. Everything seems to work fine with that and I can see that Filevault is enabled on my test machine and Casper sees it as well. However, I cannot for the life of me get the recovery key to actually work. I have tried typing in the key exactly into the password field and into the "unlock" option in disk utility (on recovery partition) to no avail. I have also tried all variants of this I can think of (although all documentation says it needs to match exactly).

Any ideas why this recovery key appears to do nothing as far as recovery is concerned?

Thanks!

1 ACCEPTED SOLUTION

rtrouton
Release Candidate Programs Tester

@monosodium,

Institutional recovery keys (IRKs) work a bit differently than Personal recovery keys (PRKs). For information on how to use an institutional key to unlock or decrypt a FileVault 2-encrypted Mac, please see the post below:

https://derflounder.wordpress.com/2014/08/13/filevault-2-institutional-recovery-keys-creation-deploy... (please see the Using FileVaultMaster.keychain to recover your data section.)

View solution in original post

6 REPLIES 6

rtrouton
Release Candidate Programs Tester

@monosodium,

Institutional recovery keys (IRKs) work a bit differently than Personal recovery keys (PRKs). For information on how to use an institutional key to unlock or decrypt a FileVault 2-encrypted Mac, please see the post below:

https://derflounder.wordpress.com/2014/08/13/filevault-2-institutional-recovery-keys-creation-deploy... (please see the Using FileVaultMaster.keychain to recover your data section.)

monosodium
Contributor

@rtrouton Thanks for that link! I knew that there were differences between the PRKs and IRKs but could not find a good resource on what those differences were. Apple's documentation does not really detail the differences between the two.

pueo
Contributor II

@rtrouton

I am familiar with the Documentation you mentioned to @monosodium to read through when trying to unlock an Encrypted Disk using an Institutional Key. But I am getting stuck at the beginning.
Where I am stuck is this line:

security unlock-keychain /path/to/FileVaultMaster.keychain

What is the path to my KeyChain? The drive is not mounted so you can 'see' the OSX Volume. The only /Library/Keychains folder is part of the Recovery partition and does not contain the .keychain file needed.

I am hoping Im missing something really simple.

Cheers
Ashley

chriscollins
Valued Contributor

@pueo I am 99% sure that what he is referring to is when you generate a new Master FileVault keychain, it has both the public and private keys inside it. You make a copy of the master filevault keychain file and then remove the private key so only the public key is in there. This copy of the keychain without the private key inside it is what is actually uploaded to the JSS and used to encrypt the machine.

When he is referencing

security unlock-keychain /path/to/FileVaultMaster.keychain,

he actually means the original version of the FilevaultMaster.keychain with the public AND private key you originally generated, so wherever you would have a copy of that like a USB key.

In the rare instances we have had to use our institutional key, we have the complete key only in a few secure places, we then copy it to a USB drive and then while booted from the recovery partition, unlock the full keychain file that is on the USB/thumb drive and then use it to unlock the drive.

pueo
Contributor II

@chriscollins

Uh makes more sense now. I'll give it a try.

Thanks.
a.

pueo
Contributor II

Moved to new discussion.