How to disable FileVault with recovery key only?

hansjoerg_watzl
Contributor II

Hi
I have the following situation:
- Mojave 10.14.1 with FileVault2 enabled
- One mobile/AD account, which is FileVault2 user (is also admin)
- Valid recovery key is stored on our JAMF Pro server

The FV password for this user is broken/forgot and user only can unlock with the recovery key. Even if a password change will be requested, this new password will not be saved, as on the next restart, only the recovery key is working.

I tried to disable FV2 with terminal command: fdesetup disable
But even if the disk is already unlocked (with recovery key), this command prompts for the FW username and password. And as the password is unknown/corrupt, it can not be disabled.

As this is the only FW enabled user, I can't disable FW with another user.

So, how can I disable FW with a recovery key only?

5 REPLIES 5

dpratl
Contributor II

Hi @hansjoerg.watzl,

We have a similar configuration (mobile /AD account).
If a user forgot his password for FileVault (which is the same as the login password of the account) we change the password in the AD and tell him:
- Connect his MacBook to the company network
- Boot up with the recovery key
- When he is asked to change the password from macOS he has to skip that window.
- He will get a login mask where he can use his username and the new from us reset password

Now he is able to login.

We have a "AD Password Changed" Tool in Self Service which cleans all passwords for the AD account in the keychain (Outlook, Skype, ...) and do a reboot.
After that reboot he already can us the new password to unlock his hard drive. So no need to disable FV.

BR
Daniel

hansjoerg_watzl
Contributor II

Hi @dpratl Thanks for your reply.
We already tried this and the domain password is now correctly changed and can be used to LOGIN, but not to UNLOCK the disk. Unlocking is still only possible with recovery key.
So it seems the FW password is still corrupt/unknown and can't be synced with the login password. And every fdesetup command for disabling or deleting the FW needs to enter the FW password, which we don't know anymore.

I just want to clean/remove the FW configuration, so we could start from scratch again (but of course without reinstalling the whole macOS).
We have a valid recovery key and user is admin...but both is no help in this case. :-(

andrew_nicholas
Valued Contributor

@hansjoerg.watzl

You can use the below script to decrypt an APFS drive with just the recovery key:

#!/bin/sh

driveUUID=$(diskutil apfs list | grep "Volume disk1s1" | awk '{print $4}')
pru="EBC6C064-0000-11AA-AA11-00306543ECAC" #personal recovery user - same on all machines
rk="YOUR-KEY-GOES-HERE"

diskutil apfs decryptVolume $driveUUID -user "$pru" -passPhrase rk

I must say though that I have had zero success with being able to encrypt the machine again afterwards, despite having a secure token/elevated rights etc. so I have had to just rebuild the machine each time this has happened. Localized accounts merged with AD via Enterprise Connect/NoMAD have been fine if an issue like this occurs.

hansjoerg_watzl
Contributor II

Thanks for this script. I will try this on a test device next week and then try to re-encrypt again. So I know, this would work in general. (If it works on this specific users machine, we will see...)

mssaffan
New Contributor II

Hello,

Sorry to open such an old thread. However the script isn't working for me. It is saying:
Starting background decryption of disk1s1 using crypto user EBC6C064-0000-11AA-AA11-00306543ECAC as authorization
Error starting background decryption of APFS Volume: Passphrase incorrect (-69550)

The recovery key does work on boot though.

Any ideas?

Thanks,

Michael