Institutional Only Filevault Keys

arlogilbert
New Contributor II

Currently we use the dual institutional + individual combination, but since all users are local users, the issue persists that sometimes changing the password does not change their filevault password.

We are trying to figure out if using an institutional only key would potentially solve this, but our understanding of the filevault password store is not great.

Maybe this is a dumb question, but If we shifted to an institutional only key, does this eliminate the need for the individual user to unlock FileVault with their password? I guess what I'm asking is whether the individual key causes the password requirement for filevault.

2 REPLIES 2

rtrouton
Release Candidate Programs Tester

No, it does not eliminate the need for the individual user to unlock FileVault with their password. Both the individual and institutional recovery keys are, from FileVault's perspective, additional user accounts who are authorized to unlock the encryption. That's why, if you run diskutil apfs listCryptoUsers /, you'll see output like this:

diskutil apfs listCryptoUsers /
Cryptographic users for disk1s5s1 (3 found)
|
+-- 6B6A09BE-66C9-4DF5-B3B9-9A02F2DE731F
|   Type: Local Open Directory User
|
+-- FE33C615-B291-4DC5-9AFE-D54C16C46B9F
    Type: Personal Recovery User

The ones marked as Local Open Directory User are local or mobile accounts on the Mac, while Personal Recovery User is the "user" associated with the individual recovery key.

mm2270
Legendary Contributor III
If we shifted to an institutional only key, does this eliminate the need for the individual user to unlock FileVault with their password?

No, it does not. The recovery keys are simply a way to decrypt the encrypted at rest hard drive container that holds the OS and user data in it. In fact, the recovery keys, whether talking about the Individual one or Institutional one, aren't really related to the accounts on the Macs themselves, other than the fact that the accounts need to be included in the FV2 allowed users list. After entering the Individual recovery key at the loginwindow, the Mac will prompt the user to enter their account password, or you can enter a different username and password combo on the machine to continue logging in. All the Mac knows is that the FV encrypted volume was unlocked and the Mac was allowed to boot, but it has no idea about the user credentials to get into any accounts. It only passes through the user credentials to get straight into that account when a correct username/password combo is entered at the preboot FileVault login screen.

And as an aside, using the Institutional Recovery key to unlock a FileVaulted Mac is not nearly as easy to do than when using the Individual Recovery Key. As mentioned, the individual key can be used right at the login window, by entering it on the recovery key unlock screen. The Institutional Recovery key is more of a universal key that has to be used in Recovery mode to unlock and mount the HD volume or just start a decryption process for example. It won't really help a user who forgot their password or has an out of sync password get back into their machine very easily.
Hope that helps explain things a little better.

Lastly, whenever in doubt about anything FileVault 2 related, I refer to the guru Rich Trouton's blog on it - https://derflounder.wordpress.com/. Just search for "FileVault" there to bring up all his articles on all things FileVault related.

Edit: See what I mean? 😁