Posted on 09-07-2016 01:41 PM
Good afternoon all. I deployed encryption to a test environment by creating a policy and adding computers manually to the scope, after setting up the FileVault configuration using "Current or Next User" and "Institutional" key. I had been given a key created on a Mac laptop and exported to me that served as an institutional recovery key.
So, to test the thing I went ahead and coveniently "forgot" my password on my encrypted MacBook Air and attempted to get in. This MacBook Air is running 10.11.6 and I don't login with AD credentials.
I went into OS X Recovery and ran the terminal commands and found out that the exported file wasn't right? It was a .pem file and it wanted a .keychain file? So, I then created a keychain in keychain access and put the recovery key in it. That did not work eith. I got an error that indicated: "Unable to unlock the core storage volume".
So after speaking with JAMF support I tried to get the private key to the keychain I'd previously been given. Well, the person that gave it to me doesn't seem to be able to pass the password challenge to export it. Thank goodness this is a test!
Does anyone have any advice on how to get into this Mac? I just want to know how.
By now it seems obvious to me that the way I deployed encryption can't be the simplest, best practice?
Can you all help me?
Thanks.
Brad Terhune
Posted on 09-07-2016 02:01 PM
I advise heading over to Rich Trouton's blog and doing a search on FileVault or FileVault 2 to bring up all his amazing FileVault articles.
https://derflounder.wordpress.com
One that should get pulled up will explain how to correctly create the Master FileVault keychain that can be used (in Recovery HD mode only) to unlock an encrypted drive.
Of course, for it to work, you first need to make sure you've set things up right and that the Institutional key was deployed to your systems along with the Disk Encryption process.
In general though, you should also be using the Individual Recovery key for this to unlock a drive. The Institutional key really should only be used as a break glass type emergency key when the other processes fail. Not that I'm discouraging you from using an Institutional key and testing the process out with it, since I think that's important. But, have you tried using the individual Recovery key at the login screen for that Mac as well as a test?
Posted on 09-08-2016 09:58 AM
Going to the website to search now. I only created a policy for an institutional recovery key. When I download that from Casper it comes over as a .pem file. Not sure how to get an individual recovery key? If there even is one...sorry don't use FileVault much. Learning as I go.
Brad
Posted on 09-08-2016 10:07 AM
What I appear to be missing is the is the private key for the institutional recovery key. WIthout that it does not appear that I can export the institutional recovery key and use it to unlock the Mac in question. The website talks about adding or changing an institutional recovery key but makes the assumption the private key is present near as I can discern.
Brad