- Jamf Nation Community
- Products
- Jamf Pro
- Re: FileVault - Reload Recovery Key into JSS if ma...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-20-2014 10:06 AM
JAMFnation 4ever!
JSS 9.23. All users running 10.8.5.
Testing some scenarios out before implementing FileVault 2 on users' machines, I've noticed deleting an encrypted machine's record in the JSS and re-Reconing doesn't fill in the Recovery Key in the JSS. It recognizes the drive as encrypted in the Inventory tab, but lists Not Configured in the Management tab. Is there any way to repopulate that in this scenario short of decrypting and re-enabling encryption via the JSS?
Thanks for any and all help!
Michael
Solved! Go to Solution.
2 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-20-2014 10:26 AM
i have not been able to find any way of doing this other than a decrypt/re encrypt. Apple seems to only let you get the key at that time. This has been a pain a we have to really be sure now when deleting a mac. That recovery key is gone.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-20-2014 10:32 AM
On 10.8.5, once the key's been removed from the JSS, you'll need to unencrypt / re-encrypt using a policy in order to re-upload that key.
10.9.x offers more options in this regard, as a changerecoverykey function is now included with fdesetup.
Reply
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-20-2014 10:26 AM
i have not been able to find any way of doing this other than a decrypt/re encrypt. Apple seems to only let you get the key at that time. This has been a pain a we have to really be sure now when deleting a mac. That recovery key is gone.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-20-2014 10:32 AM
On 10.8.5, once the key's been removed from the JSS, you'll need to unencrypt / re-encrypt using a policy in order to re-upload that key.
10.9.x offers more options in this regard, as a changerecoverykey function is now included with fdesetup.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-20-2014 11:08 AM
Thanks to you both.
@rtroutron, are you the greatest resource on FileVault in the world?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-20-2014 11:17 AM
No, the people who wear that crown all work for Apple. I probably have the most documentation available to the public though.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-20-2014 11:22 AM
So, it sounds like it would be a good idea to create a smart group for all systems where Casper is not able to validate the individual recovery key, then have a policy run the "fdesetup changerecovery -personal" command to generate a new key?
It sounds like this would resolve the issue for 10.9.x systems (with deleted or lost system records), assuming Casper is able to pick up that new key automatically. I'll have to test this out.
Edit: Not sure this will work since you need to enter a password or current recovery key for the volume. Also, Casper doesn't pick up the new key. Bummer.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-20-2014 12:08 PM
If any of you feel that being able to export Recovery Keys out of Casper in a secure way to another format for safe keeping would be a good idea, please vote up my Feature Request here:
https://jamfnation.jamfsoftware.com/featureRequest.html?id=1861
Been trying to get more focus on this, because for us, its a problem that the JSS is the ONLY place those keys exist and we are not able to access or read the keys in any other way than via the web app GUI. I'd even settle for just a secure method of using the API to extract the keys so they can be pushed to another system. As it stands, if you delete the Mac record and something happens where you need the key to get into the Mac, if you didn't already have it set up to use an Institutional Recovery key as well. you will have no way to get back into the Mac other than a nuke and pave, losing all data. For us, we have it set to use Institutional + Individual, but we would still like a way to report on the keys or securely port them to another system.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-24-2014 05:57 PM
Thanks for the confirmation, all.
@mm2270: Upvoted.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-25-2014 01:11 PM
In Casper 8.x you can recover the key from your backups, and re-enter manually, once the computer is re-enrolled. I wrote about this briefly last year. Haven't tried with Casper 9, hoping the same approach would work if you got stuck.
