Help

FileVault 2 Key Escrow + Long String

zinkotheclown
Contributor II

Posted on ‎03-21-2019 02:43 PM

I've been using homebysix's reissue_filevault_recovery_key.sh script in a policy to recover lost FV2 recovery keys, but lately the keys that are recovered are these crazy long strings:

58c21658eec145f38b7e5bacef409c0a

Has anyone seen anything like this? What could be causing this?

Labels:
0 Kudos
5 REPLIES 5

bryan_hengels
New Contributor II
New Contributor II

Posted on ‎03-21-2019 02:56 PM

Which version of Jamf Pro are you running? There was an issue fixed in 10.10.0 (PI-006374 http://docs.jamf.com/10.10.0/jamf-pro/release-notes/Bug_Fixes_and_Enhancements.html) that could lead to the recovery key being stored in that form if a certificate on the server reached its expiration date. If that's the issue you are running into then upgrading to 10.10.0 or higher should fix the keys that were stored like that on the upgrade so that they're again presented in a form that is usable for you.

zinkotheclown
Contributor II

Posted on ‎03-21-2019 02:59 PM

I am running 10.9.0 so that would make sense. Thanks for that info!

steve_summers
Contributor III

Posted on ‎03-22-2019 05:42 AM

So, this EXACT issue happened to me last month. After I stopped hyperventilating I worked with the folks at Jamf (who were great) and it was due to the FV cert expiring inside my Jamf Pro server. Basically, to fix it, I had to do the following:
-Assess the situation by creating a smart group, looking for people who's keys were "Invalid"
-Create a new configuration profile for FV Key Redirection
-Create a policy for those folks with the invalid keys which reissue a new key
-Validate the key issue is fixed after they run the policy

Shout out to Benjamin Julian on Jamf Support who talked me off the ledge on this one. Hope that helps.

0 Kudos

cainehorr
Contributor III

Posted on ‎03-22-2019 02:51 PM

@steve.summers - We've encountered perfectly formatted FV keys being declared as "Invalid" - not certain that's a bulletproof methodology. But I suppose it's better than nothing.

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

0 Kudos

Hugonaut
Valued Contributor II

Posted on ‎03-24-2019 05:50 PM

I had this same problem - found out it was due to certificate expiration - created a new institutional key as per apple - https://support.apple.com/en-us/HT202385

added it to jamfs - distributed it with jamf & wallah - problem solved. not on Jamf 10.10 either. hope this helps.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month
0 Kudos