Unlocking a FileVault-Encrypted Volume with an Institutional Recovery Key

Unlocking a FileVault-encrypted volume with an institutional recovery key involves the following steps:

  • Prepare the FileVaultMaster keychain and your computer

  • Unlock the FileVaultMaster keychain

  • Use keychain to unlock the encrypted volume


  • macOS 10.9 or later

  • A FileVault 2-encrypted volume, set up to use an institutional recovery key

  • An external drive or USB drive

Preparing the Keychain and Computer

  1. Put your original FileVaultMaster.keychain (the one with the private key in it) on an external drive or USB drive.

  2. Boot the device in recovery mode by holding command-R when starting up.

Unlocking the Keychain

  1. Plug in the drive with the FileVaultMaster keychain. In recovery mode, the drive should automatically mount, but you can also mount it using Disk Utility.

  2. Open a Terminal by going to Utilities > Terminal.

  3. Unlock the keychain in the Terminal by running the following command:security unlock-keychain /Volumes/[nameofdrive]/[path]/FileVaultMaster.keychain

  4. When prompted, enter the password you used when creating the keychain.

Unlocking the Encrypted Volume

  1. macOS devices running macOS High Sierra (10.13) may have been upgraded to APFS. If a device is using APFS, find the APFS disk role by using diskutil apfs list.

  2. Unlock the encrypted volume by using this command:
    diskutil apfs unlockVolume [APFS disk role] -recoverykeychain /Volumes/[nameofdrive]/FileVaultMaster.keychain

  3. You can now browse the directories of the unlocked drive, or you can decrypt the drive and turn off FileVault 2 using the following command:
    diskutil apfs decryptVolume /dev/[APFS disk role]

  4. You can check the progress by running diskutil apfs list again.

  5. If your device is using macOS Extended (HFS+), find the CoreStorage Volumes (UUID) by using the following command:
    diskutil cs list

  6. Find the Logical Volume UUID of the encrypted drive, by running the command diskutil corestorage list.

  7. Unlock the volume with this command:
    diskutil corestorage unlockVolume [UUID] -recoveryKeyChain /Volumes/[nameofdrive]/[path]/FileVaultMaster.keychain

  8. The volume should unlock and mount. You can now retrieve the files. Decrypting the disk is also possible by running this command:
    diskutil corestorage revert [UUID] -recoveryKeychain /Volumes/[nameofdrive]/[path]/FileVaultMaster.keychain

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.