FileVault recovery keys: Difference between invalid and unknown

stevenjklein
Contributor II

I've seen three different values for FileVault recovery key:

  • valid
  • unknown
  • invalid

Valid and unknown are obvious, but how does a key become invalid?

969c5726bdc9408983d604ec3a87c0fd

7 REPLIES 7

jtrant
Contributor III

Invalid means validation of the key failed. I have a policy scoped to a smart group containing invalid recovery keys, which rotates it and triggers another validation attempt.

GoranPOne10
New Contributor II

Is it possible to resolve the invalid recovery keys without user intervention?
Would you like to share your workflow?

stevenjklein
Contributor II

Thanks, @jtrant.

@GoranPOne10, any workflow that changes the personal recovery key almost certainly requires a local admin account with the secure token attribute.

Or is there a way around that?

donmontalvo
Esteemed Contributor II

We see Unknown if a computer is encrypted, but Jamf Pro doesn't have a FileVault 2 key at all.

--
https://donmontalvo.com

swhps
Contributor III

I tried making a policy with Disk Encryption set to Issue new Recovery key and scoping to machines with "unknown" keys and that did not seem to escrow the key. Any other tricks to try that don't involve the end user doing something?

snowfox
Contributor II

@stevenjklein Invalid Recovery Key Validation means the PRK on the Mac doesn't match the PRK stored on Jamf Pro.

How to Issue a new PRK to computers using a policy

BRoper
New Contributor III

@swhps Hi, did you ever find out a good way to get around this? Not sure what macOS you were trying this on, but I'm managing a small fleet of all M1 MacBook Pros running the latest version of Big Sur. There was a recent transition from Jamf Connect to Jamf Pro (before I onboarded my position) and half of the Macs had FileVault 2 already enabled while enrolled in Jamf Connect and the RKs are showing 'unknown' in Jamf Pro Inventory. Thankfully the other half of the Macs never had FileVault 2 enabled yet and those I was able to deploy the configuration and escrow the Personal/Individual RKs successfully. I did the same thing you did with a policy to issue a new RK that did not bring me luck. I'd love to not get the end users involved if possible.