Unable to unlock FileVault with fdesetup

sam_hummerstone
New Contributor II

Hi all,

I discovered today that a few users have got an 'invalid' recovery key with jamf. After logging in via ssh I cannot seem to make any changes using fdesetup with users that are FileVault enabled on the system.
I am constantly getting the following error:

host-117-253-27-217:~ tcc$ sudo fdesetup changerecovery -personal
Enter a password for '/', or the recovery key:
Error: Unable to unlock FileVault.

Using fdesetup list I can confirm that all user accounts are enabled to unlock filevault. Anyone got any ideas how this can be fixed? thanks

2 REPLIES 2

roiegat
Contributor II

I use diskutil to unlock file vault.

I use "diskutil cs list" to get the logical drive and then "diskutil cs decryptLV ${lvUUID} -passphrase $password" where lvUUID is the UUID of the logic drive.

Berrier
Contributor

@sam.hummerstone, I ran into this problem a lot back with Mavericks. Typically, but not always, a simple reboot of the client machine was all it took to get things back up an running. When you are prompted for the password or recovery key, are you entering a known FV2 password, or are you trying to use the recovery key? Make sure you are using a password instead of a questionable key.

Also, as you may or may not know, if you don't have a config profile to redirect the recovery key, issuing a fdesetup changerecovery will not update the key in the JSS. @roiegat's suggestion will do a full decrypt, so you'd have to re-encrypt when it finishes. When I had machines doing this I usually wound up doing the following:

  1. Reboot client computer
  2. Use a known FV2 password to add the JSS management account to FV2, if it's not already there
  3. Use a JSS policy to re-issue the individual key
  4. Verify new key is accurate: sudo fdesetup validaterecovery
  5. Remove the management account from FV2

If all that failed, I was forced to decrypt the volume using an institutional key and then re-encrypt.