Creating and Exporting an Institutional Recovery Key

To use an institutional recovery key, you must first create and export a recovery key using Keychain Access.

You can export the recovery key with or without the private key. Exporting with the private key allows you to store it in the JSS. If you export without the private key, you must store it in a secure location so you can access it when needed.

Creating and Exporting an Institutional Recovery Key with the Private Key

  1. On an administrator computer, open Terminal and execute the following command: 

    sudo security create-filevaultmaster-keychain /Library/Keychains/
    FileVaultMaster.keychain

  2. Enter a password for the new keychain when prompted.
    A keychain (FileVaultMaster.keychain) is created in the following location:
    /Library/Keychains/

  3. Unlock the keychain by opening Terminal and executing: 

    security unlock-keychain /Library/Keychains/FileVaultMaster.keychain

  4. Make a backup of the keychain and save it in a secure location.

  5. Open Keychain Access.

  6. From the menu bar, choose File > Add Keychain and add the FileVaultMaster.keychain file located in /Library/Keychains/.

  7. Select FileVaultMaster under the Keychains heading in the sidebar, and then select All Items under the Category heading.

  8. Verify that a private key is associated with the certificate.

    images/download/attachments/5150183/KeychainAccess_VerifyPrivateKey.png

  9. Select the certificate and the private key.

  10. From the menu bar, choose File > Export Items and save the items as a .p12 file.
    The .p12 file is a bundle that contains both the FileVault Recovery Key and the private key.

  11. Create and verify a password to secure the file, and then click OK.
    You will be prompted enter this password when uploading the recovery key to the JSS.

    images/download/thumbnails/5150183/PrivateKey_CreatePassword.png

  12. Quit Keychain Access.

The FileVault Recovery Key and the private key are saved as a .p12 file in the location you specified.

Creating and Exporting an Institutional Recovery Key without the Private Key

  1. On an administrator computer, open Terminal and execute the following command: 

    sudo security create-filevaultmaster-keychain /Library/Keychains/
    FileVaultMaster.keychain

  2. Enter a password for the new keychain when prompted.
    A keychain (FileVaultMaster.keychain) is created in the following location:
    /Library/Keychains/

  3. Unlock the keychain by opening Terminal and executing: 

    security unlock-keychain /Library/Keychains/FileVaultMaster.keychain

  4. Open Keychain Access.

  5. From the menu bar, choose File > Add Keychain and add the FileVaultMaster.keychain file located in /Library/Keychains/.

  6. Select FileVaultMaster under the Keychains heading in the sidebar, and then select All Items under the Category heading.

  7. Select the certificate.
    Do not select the private key associated with the certificate.

    images/download/attachments/5150183/KeychainAccess_VerifyPrivateKey.png

  8. From the menu bar, choose File > Export Items and save the recovery key as a .pem file or .cer file.
    You will need to upload this file to the JSS when creating the disk encryption configuration.

  9. Quit Keychain Access.

  10. Store the keychain (FileVaultMaster.keychain) in a secure location so you can use it to access encrypted data at a later time.

The FileVault Recovery Key is saved as a .cer file or a .pem file in the location you specified.

Copyright | Privacy | Terms of Use | Security
Copyright JAMF Software, LLC 2016