FileVault2 individual recovery key - self service

New Contributor

Hi all,

We are just starting the deployment of Casper Suite. A great feature is Filevault configuration deployment, but I would like to create a self-service portal so that users could get their individual recovery key in case of need.

In CasperSuite 9 individual recovery key are now encrypted in the DB. So is there some way to get individual recovery key using the API or something else ? (decrypt the key contained in DB ?).

Thanks a lot for any ideas !




Legendary Contributor III

I need to start off my response with a question which is, since Self Service can only be used if the Mac is booted and unlocked at the FV2 screen, if the user needed their key AT the FV2 login screen to get into the Mac, how would such a policy actually help them? Or were you thinking of doing this from another Mac (i.e, user logs into Self Service on a loaner enrolled Mac, runs a policy to get the key for their Mac after answering some questions?)

If you were thinking something along the lines of the latter, I can tell you this is impossible. Full stop. The keys can ONLY be accessed via the JSS web UI. We've posed a similar question to JAMF and have been told plainly that they have no plans (right now) to expose the Individual Recovery Key via the API or any other supported (but secure) method. There is no other way other than through the JSS interface, and frankly, its a pain.
If you agree, please up vote my Feature Request here:

If on the other hand, you envisioned some way for the client to do this FROM their Mac after being unlocked and logged in, the only way I can think of to do what you're looking for is, first off, a little insecure, and second, would need to be set up and tested in advance of issuing any encryption on your Macs.

Since the recovery key gets stored in an xml file right after encryption starts and picked up by an inventory collection, you could deploy a script that runs at Startup along with your encryption policy that would capture the key from the xml file and store it away securely under a password protected DMG or zip file, etc, that you know of and control. Later, in your Self Service policy, you could create a script that would locate the password protected DMG/zip and decrypt it using a password sent to the script from a Casper Suite parameter, then present the key to the user in some kind of dialog, and lastly, close the protected file up so it can't be re-accessed.
Generally speaking since the Mac would be under an FDE state, leaving the key inside another encrypted location on disk that you control should be OK, since that data can only be accessed when the Mac is unlocked anyway. Since you're talking about Self Service for this, the Mac would need to be booted and unlocked for the user to run the SS policy anyway.

New Contributor

Thanks for your reply.
I voted for your feature request.

Users can access the intranet using another computer or their smartphone.
Due to your reply I will just adapt my existing script which stores keys in a secured DB.

I just thought there was some way out of the box as it was possible to get the recovery key in the DB on Casper 8!

Once again, thank you !