I've successfully enabled FileVault 2 using institutional recovery key but before deploying the policy and config profile for all the computer (none of them already have filevault enabled) I would like to test the recovery method and ensure that it is working fine in case of need.
Any way to test the recovery method using the institutional recovery key? thanks
Hi @Espaay ,
thanks for your reply.
In Jamf Pro, going to computer inventory > Disk Encryption under "Institutional Recovery Key Status" it says "Present", I don't see any field where I can get that value.
Furthermore, can you please better explain the step between "turn on" and "select recovery key"?
Thanks a lot
Decryption using an institutional recovery key is not a trivial process. You can download the institutional recovery key from the computer inventory record in Jamf - Disk Encryption > Institutional Recovery Key.
Using individual recovery keys is a much more valid and common approach and you should look into having that enabled and working before worrying about Institutional Recovery Keys.
Hi @oliverr , why do you think I should proceed with individual instead of institutional?
I mean, is there any specific reason I am missing?
I'm still testing FileVault so before deploying the configurations I wanna be sure that the solution is safe and easy to manage both for us as technicians and end-users
You can escrow individual recovery keys directly to your Jamf Server - you can then view the key in the web interface and if required supply that to your end users. This is far easier than having to work with an institutional key each time you need to decrypt a machine or resolve a password issue.
Institutional keys are also inherently less secure as if the key is ever compromised you have to create a new one.
You can also combo individual and institutional keys in a single disk encryption configuration if required.
Each has their place - but individual keys are more secure and easier to manage.