FileVault 2 Recovery Key Rotation

mapurcel
Contributor III

In our environment, when a user calls the Help Desk for a recovery key, it is given over the phone. We've used another FV2 product (Symantec Endpoint Encryption) and prior to that PGP. With both products, when a Help Desk analyst retrieves the recovery key, it is automatically rotated, so the user can only use it one time and doesn't put it on a post it note on their desk.

With JAMF FV2 management, this does not happen automatically, although there is a policy to 'manually' rotate the recovery key. Does anyone else see automatic key rotation as a need or do you use a different workflow?

1 ACCEPTED SOLUTION
3 REPLIES 3

Chris
Valued Contributor

KSchroeder
Contributor

Just read that one myself last night, after it was linked from @rtrouton 's Blog. Good stuff!

Now I just have to figure out why ~20% of my machines show that they don't have a FV redirection policy applied, even though it is in our main security Profile...

mike_paul
Contributor III
Contributor III

Couple things on that workflow. A LaunchAgent isnt going to work, it will have to be a LaunchDaemon to have permission to run those commands in the script and this doesn't account for no internet while logged in with that key. So you could add logic that if no internet is found it writes out to a dummy file that you have an extension attribute looking for which could trigger the same policy, so at least its caught on the next inventory update.