Using FileVault with a Personal Recovery Key

When using a personal recovery key with FileVault 2, the key is only displayed once to the user at the moment FileVault is enabled. Starting with macOS 10.13, you are able to put your key into escrow with Jamf School. When FileVault is enabled on a device, no institutional recovery key has been set up, and its device owner has lost both their account password and personal recovery key, the recovery key escrow can be used as a last resort to unlock the encrypted disk.

Important: Recovery key escrow should be used as a last resort. It is recommended that you always set an institutional recovery key together with enabling the personal recovery key option, to minimize the chance that all recovery keys are lost. In rare cases, it is possible Jamf School does not have an up-to-date personal recovery key in escrow. Jamf School does not accept liability for cases where the user cannot unlock their encrypted drive because the personal recovery in escrow turns out to be out-of-date.

Requirements

  • macOS 10.13 or higher

Enabling personal recovery key escrow in Jamf School Management System

images/docs.jamf.com/jamf-school/images/1_-_escrow_fields_in_profile_settings.png

When enabling FileVault in your macOS profile, select the ‘Enable Personal Recovery Key Escrow’ checkbox. In the textarea, you can enter a short description of the location where the recovery key will be kept. This text can be seen when viewing the details of the Configuration Profile, in Apple menu -> System Preferences -> Profiles. Recovery key escrow will be enabled after the profile is pushed to associated devices.

images/docs.jamf.com/jamf-school/images/2_-_escrow_payload_on_device.png

Notes

  • FileVault should be enabled at the same time or after enabling recovery key escrow. Otherwise, when a personal recovery key has already been generated on a device, enabling recovery key escrow will have no effect.

  • A device should only have one profile with recovery key escrow associated with it. Otherwise, the installation of the second profile will fail.

  • When the personal recovery key is changed on a device while the recovery key escrow profile isn’t associated with it, the key will not be returned back to us.

When recovery key escrow is on, Jamf School will generate a certificate with which the recovery key is encrypted. A unique certificate will be created for every associated device, so that the recovery key is sent back to us as securely as possible.

When FileVault is enabled on a device, it is possible to change the personal recovery key from the Terminal, using the command fdesetup changerecovery -personal . If escrow has been enabled on the device before changing the recovery key, the new key will be returned to Jamf School as well.

Retrieving the personal recovery key in Jamf School Management System

images/docs.jamf.com/jamf-school/images/3b_-_device_details_retrieved.png

The escrowed recovery key can be retrieved on the device details page. When Recovery Key Escrow is enabled, a button ‘Retrieve personal key’ appears under the heading ‘FileVault’. Pressing this will decrypt the personal recovery key and display it.

images/docs.jamf.com/jamf-school/images/3a_-_device_details_escrow_button.png
The recovery key is returned to Jamf School as part of the security information of a device. You may need to refresh device details before retrieving the personal recovery key. If you have not refreshed the security info before retrieving the personal key, it is possible that the retrieve button does not show up or that an old personal key is shown. Check the Activity Log to see if the device's security information is up to date (look for the action "Refresh security info").

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.