Set a FileVault recovery key for Mac computers in your institution

Learn how to make sure that users can recover FileVault-encrypted data if they can’t log in to their Mac.

These steps require FileVault 2 in OS X Lion or later.

Create a master password and private recovery key

First, create a master password and private recovery key on one of your Mac computers:

  1. Choose the Apple  menu > System Preferences, then click Users & Groups.
  2. Click the Lock   button, then enter a user name and password.
  3. From the Action  menu, choose Set Master Password.
  4. Enter and verify your master password, then click OK.
  5. Move the file at /Library/Keychains/FileVaultMaster.cer to the Trash.
  6. Copy the file at /Library/Keychains/FileVaultMaster.keychain to a secure location, like an external drive or an encrypted disk image on another physical disk. This FileVault master keychain contains the private FileVault recovery key. You can use this private key to unlock the startup disk of any Mac computer that uses your deployed FileVault master keychain. 

Update and deploy the FileVault master keychain*

  1. Drag the file at /Library/Keychains/FileVaultMaster.keychain to the Desktop to copy it onto the Desktop.
  2. On the Desktop, double-click the copied version of FileVaultMaster.keychain.
  3. Keychain Access opens and there are two “FileVaultMaster.keychain” listed on the left.
  4. Select the file at /Users/username/Desktop/FileVaultMaster.keychain.
  5. Click the lock in the upper-left corner to unlock the FileVaultMaster keychain.
  6. Select the private key.
  7. Press the Delete key on the keyboard. Click Delete in the dialog.
  8. Quit Keychain Access.
  9. Copy the updated file at ~/Desktop/FileVaultMaster.keychain back to /Library/Keychains.
  10. Type admin name and password in the dialog.
  11. Click the Replace button in the dialog.

Then deploy the updated FileVault master keychain to each client Mac:

  1. Make a copy of the file at /Library/Keychains/FileVaultMaster.keychain, but don't replace the identically named private recovery key that you copied earlier. That private key isn't for distribution.
  2. Put the updated FileVaultMaster.keychain file in the /Library/Keychains/ folder of each Mac. The file's ownership and permissions should be -rw-r--r--, which you can set with these Terminal commands:
sudo chown root:wheel /Library/Keychains/FileVaultMaster.keychain
sudo chmod 644 /Library/Keychains/FileVaultMaster.keychain

*If you're using OS X El Capitan or later, you can update the original FileVault master keychain to prepare it for deployment.

Turn on FileVault on each Mac

After you deploy the FileVault master keychain, turn on FileVault on each client Mac. You should see the message “A recovery key has been set by your company, school, or institution.” Click Continue.

Recovery Key sheet

If a user can't log in to their Mac

If a user forgot their account password and can't log in, use these steps to unlock their startup disk and access its FileVault-encrypted data.

  1. On the client Mac, start up from macOS Recovery by holding Command-R during startup.
  2. Connect the external drive that contains the private recovery key.
  3. From the menu bar, choose Utilities > Terminal.
  4. If you stored the private recovery key in an encrypted disk image, use the following command in Terminal to mount that image. Replace /path with the path to the disk image:

    hdiutil attach /path

  5. Use the following command to unlock the FileVault master keychain. Replace /path with the path to FileVaultMaster.keychain on the external drive or disk image:

    security unlock-keychain /path

    Example for a volume named ThumbDrive:
    security unlock-keychain /Volumes/ThumbDrive/FileVaultMaster.keychain


  6. Enter the master password to unlock the startup disk. If the password is accepted, the command prompt returns.
  7. Use the following command to get a list of the drives and CoreStorage volumes:
    diskutil cs list
  8. Select the UUID that appears after “Logical Volume,” then copy it for use in the next step.

    Example:
     +-> Logical Volume 2F227AED-1398-42F8-804D-882199ABA66B


  9. Use the following command to unlock the encrypted startup disk. Replace UUID with the UUID you copied in the previous step, and replace /path with the path to FileVaultMaster.keychain on the external drive or disk image:

    diskutil cs unlockVolume UUID -recoveryKeychain /path

    Example for UUID of 2F227AED-1398-42F8-804D-882199ABA66B on a volume named ThumbDrive:
    diskutil cs unlockVolume 2F227AED-1398-42F8-804D-882199ABA66B -recoveryKeychain /Volumes/ThumbDrive/FileVaultMaster.keychain


  10. Enter the master password to unlock the keychain and mount the startup disk.
  11. Use command-line tools such as ditto to back up the data on the disk, or quit Terminal and use Disk Utility.
Published Date: