I discovered today that a few users have got an 'invalid' recovery key with jamf. After logging in via ssh I cannot seem to make any changes using fdesetup with users that are FileVault enabled on the system.
I am constantly getting the following error:
host-117-253-27-217:~ tcc$ sudo fdesetup changerecovery -personal Enter a password for '/', or the recovery key: Error: Unable to unlock FileVault.
Using fdesetup list I can confirm that all user accounts are enabled to unlock filevault. Anyone got any ideas how this can be fixed? thanks
@sam.hummerstone, I ran into this problem a lot back with Mavericks. Typically, but not always, a simple reboot of the client machine was all it took to get things back up an running. When you are prompted for the password or recovery key, are you entering a known FV2 password, or are you trying to use the recovery key? Make sure you are using a password instead of a questionable key.
Also, as you may or may not know, if you don't have a config profile to redirect the recovery key, issuing a
fdesetup changerecovery will not update the key in the JSS. @roiegat's suggestion will do a full decrypt, so you'd have to re-encrypt when it finishes. When I had machines doing this I usually wound up doing the following:
sudo fdesetup validaterecovery
If all that failed, I was forced to decrypt the volume using an institutional key and then re-encrypt.