Security of FileVault 2 Recovery Keys
This article explains how Jamf Pro encrypts FileVault recovery keys stored in the Jamf Pro server.
For information on administering FileVault, see the Administering FileVault on macOS 10.14 or later with Jamf Pro technical paper.
Key Encryption
Two types of recovery keys are stored in the database: institutional (.p12) and personal (string). Institutional recovery keys are secure by nature since they are uploaded as .p12 files, and Jamf Pro encrypts the password for the .p12 file. Jamf Pro also encrypts personal recovery keys.
The password-based encryption scheme used in Jamf Pro 9.0 or later is SHA-256 with 256bit AES. This encryption scheme is the same for institutional and personal recovery keys. The salt and passphrase for the encryption are generated within the web application and are not site-specific.
Privileges
The following privileges can be disabled to prevent a Jamf Pro user from creating and editing disk encryption configurations, and viewing and downloading recovery keys in Jamf Pro 9.2 or later:
- Jamf Pro Server Objects
-
- Disk Encryption Configurations—Allows users to create, read, update, or delete a disk encryption configuration with a personal (a.k.a. individual) recovery key, an institutional recovery key, or both a personal (a.k.a. individual) and institutional recovery key.
- Disk Encryption Institutional Configurations—Allows the user to create, delete, update, or delete disk encryption configuration with an institutional recovery key, or with both personal and institutional recovery keys. With the "View Disk Encryption Recovery Key" privilege also granted, this privilege also allows the user to view and download an institutional recovery key.
- Jamf Pro Server Actions
-
- View Disk Encryption Recovery Key—Allows the user to view a personal recovery key. This privilege also allows the user to view and download an institutional recovery key.
jss_audit
audit_who
—The Jamf Pro user who interacted with the recovery key.audit_when
—The epoch of the interaction.audit_what
—An XML representation of the object that was accessed.audit_where
—Where it was accessed in the Jamf Pro server.