FileVault 2 Institutional Recovery Key usage

bearzooka
Contributor

Hey, guys!

I am testing our company's FileVault 2 workflow and I haven't been able to use the Institutional Recovery Key, simulating the scenario in which we don't have access to the enabled user's password nor his/her personal recovery key.

We have an encryption configuration with both recovery keys. To test it out, I downloaded from the JSS a RecoveryKey.p12 file and put it into a USB drive. Then, booted the "affected" machine into recovery mode, obtained the logical volume's UUID and then ran the following:

diskutil cs unlockVolume UUID-OFTHE-VOLUME -recoveryKeychain /Volumes/USBDrive/RecoveryKey.p12

And the response I get is:

Error: -69749: Unable to unlock the Core Storage volume

It's worth mentioning that this is a Sierra machine, so the drive is HFS.

Is this procedure correct or am I missing something?

Thanks for your support!

2 ACCEPTED SOLUTIONS

bearzooka
Contributor

Well, @kwvarga, the process is more convoluted than what I though:
1. Download the Institutional Recovery Key from the FileVault 2 section of the Management tab of any machine’s inventory page. The key will be the same for all machines that were encrypted using the same JSS policy. The downloaded file will be called RecoveryKey.p12 and has a password that was set when the policy was created.
2. Open the Keychain Access application and then select File > New Keychain…
3. You will be asked for a name and a path for this element. It’s recommended to use a simple name and place it on the Desktop.
4. You will be asked to set a password for this Keychain. It’s recommended to use a simple password that you can share with the IT personnel that will be involved in decrypting the affected machine.
5. Drag the RecoveryKey.p12 file into the main pane of the Keychain Access application, making sure that the keychain that you just created is selected. As soon as you drop the file you will be prompted for the password that opens the p12 file.
6. Then, you will be asked for the password you set for the keychain (step 4) and afterwards, the items of the p12 file will be visible inside the keychain.
7. Move the keychain item you just created from the desktop into a USB drive that you will use to unlock the locked machine and after making sure it was copied, delete it and the p12 file from your hard drive in a secure way.
8. Boot the affected machine into recovery mode and issue the EFI password if necessary
9. Inside the recovery mode open the Terminal from the Utilities menu and use the following command to obtain the UUID of the locked volume:

diskutil corestorage list

10. This command will provide a list of all the logical volumes available. Locate the volume that is locked, select and copy its UUID (the long string next to Logical Volume).
11. Insert the USB that contains the Recovery Keychain and locate the path of the USB inside the Volumes folder
12. Unlock the Recovery Keychain using the following command, but using the appropriate path to your USB drive and keychain file

security unlock-keychain /Volumes/My USB/FileVaultRecovery.keychain

13. You will be asked for a password, this is the one you set while creating the recovery keychain on step 4.
14. With the Recovery Keychain unlocked, use the following command to unlock the drive, replacing the disk UUID for your own (step 9) and the path to your keychain.

diskutil corestorage unlockVolume UUID_HERE -recoveryKeychain /Volumes/My USB/FileVaultRecovery.keychain

15. If the keychain was properly unlocked and the UUID matches a locked volume, you will see a progress bar and then a success message.
16. Once the volume is unlocked, it is also mounted inside /Volumes with its original label. You can now use the Terminal to navigate it and recover information, for example by copying to the mounted USB drive, using tools such as rsync or mounting a network drive and doing a remote copy.
17. At this point, it is possible to remove FileVault 2 encryption altogether and bring back the machine to its state before encryption. To do this, first unlock the volume (with the previous command) and then issue the following command, using the appropriate UUID and keychain path:

diskutil corestorage revert UUID_here /Volumes/My USB/FileVaultRecovery.keychain

18. You’ll see a success message and after a reboot you will be presented with the standard login screen;

I hope this was clear enough. It took me a couple of attempts to do the whole thing right, but once you get the hang of it, it's easy to repeat.

View solution in original post

bearzooka
Contributor

As an adendum to the previous process, it's important to mention that it works with HFS drives; however, for APFS it's necessary to go as follows:
(STEPS 1 - 7 are the same)
1. Download the Institutional Recovery Key from the FileVault 2 section of the Management tab of any machine’s inventory page. The key will be the same for all machines that were encrypted using the same JSS policy. The downloaded file will be called RecoveryKey.p12 and has a password that was set when the policy was created.
2. Open the Keychain Access application and then select File > New Keychain…
3. You will be asked for a name and a path for this element. It’s recommended to use a simple name and place it on the Desktop.
4. You will be asked to set a password for this Keychain. It’s recommended to use a simple password that you can share with the IT personnel that will be involved in decrypting the affected machine.
5. Drag the RecoveryKey.p12 file into the main pane of the Keychain Access application, making sure that the keychain that you just created is selected. As soon as you drop the file you will be prompted for the password that opens the p12 file.
6. Then, you will be asked for the password you set for the keychain (step 4) and afterwards, the items of the p12 file will be visible inside the keychain.
7. Move the keychain item you just created from the desktop into a USB drive that you will use to unlock the locked machine and after making sure it was copied, delete it and the p12 file from your hard drive in a secure way.
8. Inside the recovery mode open the Terminal from the Utilities menu and use the following command to obtain the UUID of the locked volume:

diskutil apfs list

9. This command will provide a list of all the logical volumes available. Locate the volume that is marked as locked, select and copy its identifier. In the case of the image, disk2s1
10.Insert the USB that contains the Recovery Keychain and locate the path of the USB inside the Volumes folder
11. Unlock the Recovery Keychain using the following command, with the appropriate path to your USB drive and keychain file

security unlock-keychain /Volumes/My USB/FileVaultRecovery.keychain

12. You will be asked for a password, this is the one you set while creating the recovery keychain on step 4.
13. With the Recovery Keychain unlocked, use the following command to unlock the drive, replacing the disk ID for your own (step 9) and the path to your keychain in the USB

diskutil apfs unlockVolume /dev/apfs_volume_id_here -recoverykeychain /path/to/YourKeychain.keychain

14. If the keychain was properly unlocked and the UUID matches a locked volume, you will see a progress bar and then a success message.
15. Once the volume is unlocked, it is already mounted inside /Volumes with its original label. You can now use the Terminal to navigate it and recover information, for example by copying to the mounted USB drive, using tools such as rsync or mounting a network drive and doing a remote copy.
16. At this point, it is possible to fully remove FileVault 2 and bring back the machine to its state before encryption. To do this, first unlock the volume (with the previous command) and then issue the following command, using the appropriate ID

diskutil apfs decryptVolume /dev/apfs_volume_id_here

17. You’ll see a success message and after a reboot you will be presented with the standard login screen

View solution in original post

12 REPLIES 12

kwvarga
New Contributor

Hey @bearzooka - Did you ever get this resolved? I'm running into the exact same issue.

bearzooka
Contributor

Well, @kwvarga, the process is more convoluted than what I though:
1. Download the Institutional Recovery Key from the FileVault 2 section of the Management tab of any machine’s inventory page. The key will be the same for all machines that were encrypted using the same JSS policy. The downloaded file will be called RecoveryKey.p12 and has a password that was set when the policy was created.
2. Open the Keychain Access application and then select File > New Keychain…
3. You will be asked for a name and a path for this element. It’s recommended to use a simple name and place it on the Desktop.
4. You will be asked to set a password for this Keychain. It’s recommended to use a simple password that you can share with the IT personnel that will be involved in decrypting the affected machine.
5. Drag the RecoveryKey.p12 file into the main pane of the Keychain Access application, making sure that the keychain that you just created is selected. As soon as you drop the file you will be prompted for the password that opens the p12 file.
6. Then, you will be asked for the password you set for the keychain (step 4) and afterwards, the items of the p12 file will be visible inside the keychain.
7. Move the keychain item you just created from the desktop into a USB drive that you will use to unlock the locked machine and after making sure it was copied, delete it and the p12 file from your hard drive in a secure way.
8. Boot the affected machine into recovery mode and issue the EFI password if necessary
9. Inside the recovery mode open the Terminal from the Utilities menu and use the following command to obtain the UUID of the locked volume:

diskutil corestorage list

10. This command will provide a list of all the logical volumes available. Locate the volume that is locked, select and copy its UUID (the long string next to Logical Volume).
11. Insert the USB that contains the Recovery Keychain and locate the path of the USB inside the Volumes folder
12. Unlock the Recovery Keychain using the following command, but using the appropriate path to your USB drive and keychain file

security unlock-keychain /Volumes/My USB/FileVaultRecovery.keychain

13. You will be asked for a password, this is the one you set while creating the recovery keychain on step 4.
14. With the Recovery Keychain unlocked, use the following command to unlock the drive, replacing the disk UUID for your own (step 9) and the path to your keychain.

diskutil corestorage unlockVolume UUID_HERE -recoveryKeychain /Volumes/My USB/FileVaultRecovery.keychain

15. If the keychain was properly unlocked and the UUID matches a locked volume, you will see a progress bar and then a success message.
16. Once the volume is unlocked, it is also mounted inside /Volumes with its original label. You can now use the Terminal to navigate it and recover information, for example by copying to the mounted USB drive, using tools such as rsync or mounting a network drive and doing a remote copy.
17. At this point, it is possible to remove FileVault 2 encryption altogether and bring back the machine to its state before encryption. To do this, first unlock the volume (with the previous command) and then issue the following command, using the appropriate UUID and keychain path:

diskutil corestorage revert UUID_here /Volumes/My USB/FileVaultRecovery.keychain

18. You’ll see a success message and after a reboot you will be presented with the standard login screen;

I hope this was clear enough. It took me a couple of attempts to do the whole thing right, but once you get the hang of it, it's easy to repeat.

jclements
New Contributor III

Wow, great post. Thank you for writing out all of that.

anthonytji
New Contributor III

i was able to unlock it but my drive is APFS not sure how to revert it

McGinn
Contributor

Dude, @bearzooka amazing instructions! Thanks to you I was successfully able to decrypt a drive that we lost the password to. Thanks so much for taking the time to write this out.

bearzooka
Contributor

As an adendum to the previous process, it's important to mention that it works with HFS drives; however, for APFS it's necessary to go as follows:
(STEPS 1 - 7 are the same)
1. Download the Institutional Recovery Key from the FileVault 2 section of the Management tab of any machine’s inventory page. The key will be the same for all machines that were encrypted using the same JSS policy. The downloaded file will be called RecoveryKey.p12 and has a password that was set when the policy was created.
2. Open the Keychain Access application and then select File > New Keychain…
3. You will be asked for a name and a path for this element. It’s recommended to use a simple name and place it on the Desktop.
4. You will be asked to set a password for this Keychain. It’s recommended to use a simple password that you can share with the IT personnel that will be involved in decrypting the affected machine.
5. Drag the RecoveryKey.p12 file into the main pane of the Keychain Access application, making sure that the keychain that you just created is selected. As soon as you drop the file you will be prompted for the password that opens the p12 file.
6. Then, you will be asked for the password you set for the keychain (step 4) and afterwards, the items of the p12 file will be visible inside the keychain.
7. Move the keychain item you just created from the desktop into a USB drive that you will use to unlock the locked machine and after making sure it was copied, delete it and the p12 file from your hard drive in a secure way.
8. Inside the recovery mode open the Terminal from the Utilities menu and use the following command to obtain the UUID of the locked volume:

diskutil apfs list

9. This command will provide a list of all the logical volumes available. Locate the volume that is marked as locked, select and copy its identifier. In the case of the image, disk2s1
10.Insert the USB that contains the Recovery Keychain and locate the path of the USB inside the Volumes folder
11. Unlock the Recovery Keychain using the following command, with the appropriate path to your USB drive and keychain file

security unlock-keychain /Volumes/My USB/FileVaultRecovery.keychain

12. You will be asked for a password, this is the one you set while creating the recovery keychain on step 4.
13. With the Recovery Keychain unlocked, use the following command to unlock the drive, replacing the disk ID for your own (step 9) and the path to your keychain in the USB

diskutil apfs unlockVolume /dev/apfs_volume_id_here -recoverykeychain /path/to/YourKeychain.keychain

14. If the keychain was properly unlocked and the UUID matches a locked volume, you will see a progress bar and then a success message.
15. Once the volume is unlocked, it is already mounted inside /Volumes with its original label. You can now use the Terminal to navigate it and recover information, for example by copying to the mounted USB drive, using tools such as rsync or mounting a network drive and doing a remote copy.
16. At this point, it is possible to fully remove FileVault 2 and bring back the machine to its state before encryption. To do this, first unlock the volume (with the previous command) and then issue the following command, using the appropriate ID

diskutil apfs decryptVolume /dev/apfs_volume_id_here

17. You’ll see a success message and after a reboot you will be presented with the standard login screen

evaldes
New Contributor III

woohooo!!! this works!!!! Thank you!!!

PeterPrevailion
New Contributor

Thank you for these excellent instructions, @bearzooka!

Though does anyone have any idea how to address step 8 of the APFS instructions if you can't get to Terminal in Recovery Mode? On a test laptop, no matter what I try when booting into recovery mode, it prompts for a user's password, and failing a password, it wants the individual recovery key. This limitation prevents access to Terminal from the Utilities. Is there something I am missing? Additionally, is this happening because I set both an individual key and an institutional key?

Yeah same issue, you can't access the terminal, it just says "This volume has no admin users to authenticate..."

EdLuo
Contributor II

Need help with recovery... Anyone know hot to resolve this error?

ELUO88:~ eluo$ diskutil apfs unlockVolume disk4s1 -recoverykeychain ~/Desktop/FileVaultRecovery.keychain 
Unlocking the institutional recovery cryptographic user on APFS Volume disk4s1
Error unlocking APFS Volume: Couldn't rediscover disk after operation (-69822)

Above works fine with another institutional encrypted drive. One big difference is that this drive with the error is a 2 TB drive.

EdLuo
Contributor II

I got it to decrypt using a computer running macOS 10.14 (the same OS as the problem computer), connected via Thunderbolt cable in Target Disk mode.
The above error message came from a host computer running macOS 11.4.
:)

djrory
Contributor

When attempting to unlock via Target Disk Mode we get the following error, any ideas?

Error unlocking APFS Volume: The external-to-APFS security system's credential certificate was not found (-69535)