Using FileVault with an Institutional Recovery Key

You can use an institutional recovery key as a common way to unlock the encrypted drives of multiple devices within your organization. This key needs to be generated before enabling FileVault.


  • macOS 10.7 or later

Generate a FileVaultMaster keychain and certificate

When using FileVault 2 with an institutional recovery key, you will need to generate a private keychain file and public certificate file. This only needs to be done once, and needs to be done before deploying the certificate to multiple devices.

These files can be generated on a macOS device by setting a master password, or by using Terminal and Keychain Access.

Generate files by setting a master password

By setting a Master Password, a FileVaultMaster keychain and FileVaultMaster certificate will automatically be generated in the folder /Library/Keychains. You will need these files when deploying FileVault using an institutional key. These files may already be present. For example, if you already have a master password set on your device, see the Generate files by using Terminal and Keychain Access section on this page.

  1. Navigate to the Apple menu > System Preferences, and then click Users & Groups.

  2. Click on the padlock in the bottom-left corner of the screen and enter your password to unlock user settings.

  3. Click on the service icon at the bottom of the user list, and then select "Set Master Password" shown in the screenshot below.

  4. Choose and verify a master password. Choose a password which you can remember, as you will need this password again when recovering data from an encrypted volume;

  5. In the folder /Library/Keychains/, two files will be generated: FileVaultMaster.keychain and FileVaultMaster.cer

The keychain file contains the generated public and private keys, and is protected by the master password that you just provided. You will need this file when recovering data from an encrypted volume. Make sure you store several copies of this keychain in secure locations, as without it, you will not be able to unlock the volume.

The certificate file contains only the public key, and will be deployed to the devices as institutional recovery key.

Generate files by using Terminal and Keychain Access

Create a FileVaultMaster keychain

  1. Open a Terminal window.

  2. Generate a new keychain by running the command security create-filevaultmaster-keychain /[path]/FileVaultMaster.keychain.

  3. When prompted, provide a password for the keychain. You will need this password later, when preparing the keychain for deployment or when using the keychain to unlock an encrypted volume.

  4. A new keychain is now created at the location you specified. When generating one using the master password, the FileVaultMaster keychain is usually stored in /Library/Keychains/. However, you will need root privileges for this and there may already be another FileVaultMaster keychain present.

  5. You will need your newly generated FileVaultMaster keychain when unlocking an encrypted volume. Store several copies of this keychain in secure locations.

Prepare the keychain for distribution

The FileVaultMaster keychain contains a private and public key. This is a problem when the keychain file falls into wrong hands. Before you can deploy an institutional key, you will need to remove the private key from the keychain.

  1. Create another copy of the FileVaultMaster keychain. As you will remove the private key from this keychain, this copy can only be used for deployment.

  2. Open the Keychain Access application.

  3. Import the FileVaultMaster keychain by navigating to File > Add Keychain… . Find your copy of the keychain and click Add.

  4. Select the FileVaultMaster keychain in the overview on the left-hand side of the application and click the padlock icon to unlock the keychain.

  5. If the keychain will not unlock, try unlocking it using the Terminal by running the following command:
    security unlock-keychain /[path]/FileVaultMaster.keychain

  6. Enter the keychain’s password when prompted.

  7. In Keychain Access, double-click the FileVaultMaster keychain. You will see a certificate named FileVault Recovery Key.

  8. Expand this certificate and you’ll see that it contains a private key named "FileVault Master Password Key". Delete this private key.

  9. Select the FileVault Recovery Key certificate, now only containing the personal key, and go to File > Export Items. Save the certificate as a .cer file.

Deploying a Certificate to Associated Devices

  1. In Jamf School, go to the profile in which you want to enable FileVault.

  2. Navigate to the Certificates tab, and then select your certificate and click Upload certificate.

  3. In the FileVault tab, Enable FileVault and select either both the institutional and personal recovery key, or just the institutional recovery key as key type.

  4. In the Certificates pop-up menu, select your certificate. When the profile is saved, this certificate is sent to associated devices as institutional recovery key images/

Using Keychain to Unlock an Encrypted Volume

  1. Put your original FileVaultMaster.keychain (the one with the private key in it) on an external drive or USB drive.

  2. Boot the device in recovery mode by holding command-R when starting up.

  3. Plug in the drive with the FileVaultMaster keychain. In recovery mode, the drive should automatically mount, but you can also mount it using Disk Utility.

  4. Open a Terminal by going to Utilities > Terminal.

  5. Unlock the keychain in the Terminal by running the following command:
    security unlock-keychain /Volumes/[nameofdrive]/[path]/FileVaultMaster.keychain

  6. When prompted, enter the password you used when creating the keychain.

  7. Find the Logical Volume UUID of the encrypted drive by running the following command:
    diskutil corestorage list

  8. Unlock the volume with diskutil corestorage unlockVolume [UUID] -recoveryKeyChain /Volumes[nameofdrive]/[path]/FileVaultMaster.keychain

  9. The volume should unlock and mount. You can now retrieve the files. Decrypting the disk is also possible by running diskutil corestorage revert [UUID] -recoveryKeychain /Volumes/[nameofdrive]/[path]/FileVaultMaster.keychain

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.