Managing FileVault in macOS

Using Secure Token

Apple File System (APFS) in macOS 10.13 or later changes how FileVault encryption keys are generated. In previous versions of macOS on CoreStorage volumes, the keys used in the FileVault encryption process were created when a user or organisation turned on FileVault on a Mac. In macOS on APFS volumes, the keys are generated either during user creation, setting the first user’s password, or during the first login by a user of the Mac. This implementation of the encryption keys, when they’re generated and how they’re stored are all part of a feature known as Secure Token. Specifically, a secure token is a wrapped version of a key-encryption key (KEK) protected by a userʼs password.

When deploying FileVault on APFS, the user can continue to:

• Use existing tools and processes, such as a personal recovery key (PRK) that can be stored with a mobile device management (MDM) solution for escrow

• Defer enablement of FileVault until a user logs in to or out of the Mac

• Create and use an institutional recovery key (IRK)

In macOS 11, setting the initial password for the very first user on the Mac results in that user being granted a secure token. In some workflows, that may not be the desired behaviour as previously, granting the first secure token would have required the user account to log in. To prevent this from happening, add ;DisabledTags;SecureToken to the programmatically created user’s AuthenticationAuthority attribute prior to setting the user’s password, as shown below:

Using Bootstrap Token

macOS 10.15 introduced a new feature — Bootstrap Token — to help with granting a secure token to both mobile accounts and the optional device enrolment–created administrator account (“managed administrator”). In macOS 11, a bootstrap token can grant a secure token to any user logging in to a Mac computer, including local user accounts. Using the Bootstrap Token feature of macOS 10.15 or later requires:

• Mac enrolment in MDM using Apple School Manager or Apple Business Manager, which makes the Mac supervised

• MDM vendor support

In macOS 10.15.4 or later, a bootstrap token is generated and escrowed to MDM on the first login by any user who is Secure Token–enabled if the MDM solution supports the feature. A bootstrap token can also be generated and escrowed to MDM using the profiles command-line tool, if needed.

In macOS 11, a bootstrap token may also be used for more than just granting secure token to user accounts. On a Mac with Apple silicon, a bootstrap token, if available, can be used to authorise the installation of both kernel extensions and software updates when managed using MDM.

Institutional versus personal recovery keys

FileVault on both CoreStorage and APFS volumes supports using an institutional recovery key (IRK, previously known as a FileVault Master identity) to unlock the volume. Though an IRK is useful for command-line operations to unlock a volume or turn off FileVault altogether, its utility for organisations is limited, especially in recent versions of macOS. And on a Mac with Apple silicon, IRKs provide no functional value for two primary reasons: First, IRKs can’t be used to access recoveryOS, and second, because target disk mode is no longer supported, the volume can’t be unlocked by connecting it to another Mac. For those reasons and more, the use of an IRK is no longer recommended for institutional management of FileVault on Mac computers. Instead, a personal recovery key (PRK) should be used.