Security of FileVault 2 Recovery Keys

This article explains how Jamf Pro encrypts FileVault recovery keys stored in the Jamf Pro server.

For information on administering FileVault, see the Administering FileVault on macOS 10.14 or later with Jamf Pro technical paper.

Key Encryption

Two types of recovery keys are stored in the database: institutional (.p12) and personal (string). Institutional recovery keys are secure by nature since they are uploaded as .p12 files, and Jamf Pro encrypts the password for the .p12 file. Jamf Pro also encrypts personal recovery keys.

The password-based encryption scheme used in Jamf Pro 9.0 or later is SHA-256 with 256bit AES. This encryption scheme is the same for institutional and personal recovery keys. The salt and passphrase for the encryption are generated within the web application and are not site-specific.


The following privileges can be disabled to prevent a Jamf Pro user from creating and editing disk encryption configurations, and viewing and downloading recovery keys in Jamf Pro 9.2 or later:

Jamf Pro Server Objects
  • Disk Encryption ConfigurationsAllows users to create, read, update, or delete a disk encryption configuration with a personal (a.k.a. individual) recovery key, an institutional recovery key, or both a personal (a.k.a. individual) and institutional recovery key.
  • Disk Encryption Institutional ConfigurationsAllows the user to create, delete, update, or delete disk encryption configuration with an institutional recovery key, or with both personal and institutional recovery keys. With the "View Disk Encryption Recovery Key" privilege also granted, this privilege also allows the user to view and download an institutional recovery key.
Jamf Pro Server Actions
  • View Disk Encryption Recovery KeyAllows the user to view a personal recovery key. This privilege also allows the user to view and download an institutional recovery key.


The Jamf Pro server logs each interaction with a recovery key in the jss_audit table. The following information is logged about each interaction:
  • audit_whoThe Jamf Pro user who interacted with the recovery key.
  • audit_whenThe epoch of the interaction.
  • audit_whatAn XML representation of the object that was accessed.
  • audit_whereWhere it was accessed in the Jamf Pro server.