Help

FileVault 2 Recovery Key Rotation

Go to solution
mapurcel
Contributor III

Posted on ‎02-23-2017 10:43 AM

In our environment, when a user calls the Help Desk for a recovery key, it is given over the phone. We've used another FV2 product (Symantec Endpoint Encryption) and prior to that PGP. With both products, when a Help Desk analyst retrieves the recovery key, it is automatically rotated, so the user can only use it one time and doesn't put it on a post it note on their desk.

With JAMF FV2 management, this does not happen automatically, although there is a policy to 'manually' rotate the recovery key. Does anyone else see automatic key rotation as a need or do you use a different workflow?

0 Kudos
Reply
1 ACCEPTED SOLUTION
3 REPLIES 3

Go to solution
Chris
Valued Contributor

Posted on ‎02-24-2017 12:32 AM

https://www.johnkitzmiller.com/blog/automatically-re-issue-individual-filevault-2-recovery-keys-afte...

Is that what you're looking for?

0 Kudos
Reply

Go to solution
KSchroeder
Contributor

Posted on ‎02-24-2017 07:51 AM

Just read that one myself last night, after it was linked from @rtrouton 's Blog. Good stuff!

Now I just have to figure out why ~20% of my machines show that they don't have a FV redirection policy applied, even though it is in our main security Profile...

0 Kudos
Reply

Go to solution
mike_paul
Contributor III
Contributor III

Posted on ‎02-24-2017 09:15 AM

Couple things on that workflow. A LaunchAgent isnt going to work, it will have to be a LaunchDaemon to have permission to run those commands in the script and this doesn't account for no internet while logged in with that key. So you could add logic that if no internet is found it writes out to a dummy file that you have an extension attribute looking for which could trigger the same policy, so at least its caught on the next inventory update.

0 Kudos
Reply