Test Institutional Recovery Key with FileVault 2

alessio_tedesco
New Contributor III

dear all,
I've successfully enabled FileVault 2 using institutional recovery key but before deploying the policy and config profile for all the computer (none of them already have filevault enabled) I would like to test the recovery method and ensure that it is working fine in case of need.
Any way to test the recovery method using the institutional recovery key? thanks

6 REPLIES 6

Espaay
New Contributor III

Go you your computer inventory and look for a device you might have, write down the institutional recovery key. Go to the device physically and turn on, select recovery key, enter it and that is the test I have used. It has always worked for me. I hope this helps.

alessio_tedesco
New Contributor III

Hi @Espaay ,
thanks for your reply.
In Jamf Pro, going to computer inventory > Disk Encryption under "Institutional Recovery Key Status" it says "Present", I don't see any field where I can get that value.
Furthermore, can you please better explain the step between "turn on" and "select recovery key"?

Thanks a lot

isThisThing0n
Contributor

Decryption using an institutional recovery key is not a trivial process. You can download the institutional recovery key from the computer inventory record in Jamf - Disk Encryption > Institutional Recovery Key.

https://derflounder.wordpress.com/2014/08/13/filevault-2-institutional-recovery-keys-creation-deployment-and-use/

Using individual recovery keys is a much more valid and common approach and you should look into having that enabled and working before worrying about Institutional Recovery Keys.

https://www.jamf.com/resources/technical-papers/administering-filevault-on-macos-10-14-or-later-with-jamf-pro/

alessio_tedesco
New Contributor III

Hi @oliverr , why do you think I should proceed with individual instead of institutional?
I mean, is there any specific reason I am missing?

I'm still testing FileVault so before deploying the configurations I wanna be sure that the solution is safe and easy to manage both for us as technicians and end-users

isThisThing0n
Contributor

You can escrow individual recovery keys directly to your Jamf Server - you can then view the key in the web interface and if required supply that to your end users. This is far easier than having to work with an institutional key each time you need to decrypt a machine or resolve a password issue.

Institutional keys are also inherently less secure as if the key is ever compromised you have to create a new one.

You can also combo individual and institutional keys in a single disk encryption configuration if required.

Each has their place - but individual keys are more secure and easier to manage.

alessio_tedesco
New Contributor III

Thank you - I will definetely move to individual key if so.