FileVault recovery keys: Difference between invalid and unknown

stevenjklein
Contributor II

I've seen three different values for FileVault recovery key:

  • valid
  • unknown
  • invalid

Valid and unknown are obvious, but how does a key become invalid?

969c5726bdc9408983d604ec3a87c0fd

10 REPLIES 10

jtrant
Valued Contributor

Invalid means validation of the key failed. I have a policy scoped to a smart group containing invalid recovery keys, which rotates it and triggers another validation attempt.

NGuedes
New Contributor III

Hi,

How do you validate the key again?
Could you please help?

Best regards!

GoranPOne10
New Contributor II

Is it possible to resolve the invalid recovery keys without user intervention?
Would you like to share your workflow?

stevenjklein
Contributor II

Thanks, @jtrant.

@GoranPOne10, any workflow that changes the personal recovery key almost certainly requires a local admin account with the secure token attribute.

Or is there a way around that?

donmontalvo
Esteemed Contributor III

We see Unknown if a computer is encrypted, but Jamf Pro doesn't have a FileVault 2 key at all.

--
https://donmontalvo.com

swapple
Contributor III

I tried making a policy with Disk Encryption set to Issue new Recovery key and scoping to machines with "unknown" keys and that did not seem to escrow the key. Any other tricks to try that don't involve the end user doing something?

Well, a year late, but yes. You need a configuration profile with the right certificate and settings. 

snowfox
Contributor III

@stevenjklein Invalid Recovery Key Validation means the PRK on the Mac doesn't match the PRK stored on Jamf Pro.

How to Issue a new PRK to computers using a policy

Bia
New Contributor III

@swhps Hi, did you ever find out a good way to get around this? Not sure what macOS you were trying this on, but I'm managing a small fleet of all M1 MacBook Pros running the latest version of Big Sur. There was a recent transition from Jamf Connect to Jamf Pro (before I onboarded my position) and half of the Macs had FileVault 2 already enabled while enrolled in Jamf Connect and the RKs are showing 'unknown' in Jamf Pro Inventory. Thankfully the other half of the Macs never had FileVault 2 enabled yet and those I was able to deploy the configuration and escrow the Personal/Individual RKs successfully. I did the same thing you did with a policy to issue a new RK that did not bring me luck. I'd love to not get the end users involved if possible.

mariac
New Contributor

Check out Travelling Tech Guy's blog on this: Escrowing and re-issuing FileVault Personal Recovery Keys - Travelling Tech Guy I found this most useful.