FileVault Recovery Key Redirection

chad_fox
Contributor II

Is anyone using the "specified URL" option for Recovery Keys? If so, what method are you using?

We are trying to determine the best way to store keys outside of the JSS. We don't want all of the HelpDesk techs to be able to download a .txt file with the Recovery Key included.

160e2e47447343f5b07c7cd8c42c167a

3 REPLIES 3

mm2270
Legendary Contributor III

I think most people use that to redirect the Recovery key to their JSS. That's what we use it for. One purpose of the key redirection functionality is to ensure that if a user manually enables FileVault 2 on their Mac by going into System Preferences > Security & Privacy > FileVault, that Casper will still get the Recovery key escrowed to it. There's no more sinking of a feeling than finding out that someone who forgot their FV2 login password doesn't have a Recovery key escrowed for their Mac. If that account is the only one that can unlock the Mac at boot time, all data is lost on the device since there's literally no other way in (well, assuming you don't have an Institutional Master recovery keychain)

EDIT: I do realize that you specifically are looking to redirect to some external URL. I'm just not sure what would be best in this case. I assume the keys are not in any encrypted format, which, as you mentioned, seems like a security concern. I wonder if anyone is using some kind of database to redirect them to that has granular field permissions options.

merps
Contributor III

We're not using it, but I've seen a project using Google App Engine (I think) called Cauliflower Vest.

Cauliflower Vest

chad_fox
Contributor II

I could have sworn the last time I went to view a recovery key it downloaded a text file with the key included. Right now when I went to check I noticed this:

Looks like we'll keep the JSS option for storage and keep things easy.

Thanks for the responses.

b44fa8c1db384514a66c23e26addacee
c9a6e3cd5c824a3db135f001755e9f63