Set a FileVault recovery key for Mac computers in your institution

Mac administrators can ensure that their users' FileVault-encrypted data can be recovered when the user can't log in to their Mac.

These steps require FileVault 2 in OS X Lion or later.

Create a master password and private recovery key

Start by creating a master password and private recovery key on one of your Mac computers:

  1. Choose Apple  menu > System Preferences, then click Users & Groups.
  2. Click the Lock   button, then enter an admin name and password.
  3. From the Action  pop-up menu, choose Set Master Password.
  4. Enter and verify your master password, then click OK.
  5. Move the file at /Library/Keychains/FileVaultMaster.cer to the Trash.
  6. Copy the file at /Library/Keychains/FileVaultMaster.keychain to a safe location, such as an external drive or encrypted disk image on another physical disk. This FileVault master keychain contains the private FileVault recovery key. You can use this private key to unlock the startup disk of any Mac computer that uses your deployed FileVault master keychain. 

Update and deploy the FileVault master keychain

Update the original FileVault master keychain to prepare it for deployment:

  1. Double-click the file at /Library/Keychains/FileVaultMaster.keychain. Keychain Access opens.
  2. In Keychain Access, select FileVaultMaster from the Keychains section of the sidebar.
  3. Select FileVault Master Password Key from the list of keys. Press Delete, then click the Delete button to confirm.
  4. Quit Keychain Access.

Then deploy the updated FileVault master keychain to each client Mac:

  1. Make a copy of the file at /Library/Keychains/FileVaultMaster.keychain, but don't replace the identically named private recovery key that you copied earlier. That private key is not for distribution.
  2. Put the updated FileVaultMaster.keychain file in the /Library/Keychains/ folder of each Mac. The file's ownership and permissions should be -rw-r--r--, which you can set with these Terminal commands:
sudo chown root:wheel /Library/Keychains/FileVaultMaster.keychain
sudo chmod 644 /Library/Keychains/FileVaultMaster.keychain

Turn on FileVault on each Mac

After deploying the FileVault master keychain, turn on FileVault on each client Mac. You should see the message “A recovery key has been set by your company, school, or institution.” Click Continue.

Recovery Key sheet

If a user can't log in to their Mac

If a user forgot their account password and can't log in with their account or another admin account, you can use these steps to unlock their startup disk and access its FileVault-encrypted data.

  1. On the client Mac, start up from OS X Recovery by holding Command-R during startup.
  2. Connect the external drive that contains the private recovery key.
  3. Choose Utilities > Terminal from the menu bar.
  4. If you stored the private recovery key in an encrypted disk image, use the following command in Terminal to mount that image. Replace /path with the path to the disk image:

    hdiutil attach /path

  5. Use the following command to unlock the FileVault master keychain. Replace /path with the path to FileVaultMaster.keychain on the external drive or disk image:

    security unlock-keychain /path

    Example for a volume named ThumbDrive:
    security unlock-keychain /Volumes/ThumbDrive/FileVaultMaster.keychain

  6. Enter the master password to unlock the startup disk. If the password is accepted, the command prompt returns.
  7. Use the following command to get a list of the drives and corestorage volumes:

    diskutil cs list

  8. Select the UUID that appears after “Logical Volume,” then copy it for use in the next step.

     +-> Logical Volume 2F227AED-1398-42F8-804D-882199ABA66B

  9. Use the following command to unlock the encrypted startup disk. Replace UUID with the UUID you copied in the previous step, and replace /path with the path to FileVaultMaster.keychain on the external drive or disk image:

    diskutil cs unlockVolume UUID -recoveryKeychain /path

    Example for UUID of 2F227AED-1398-42F8-804D-882199ABA66B on a volume named ThumbDrive:
    diskutil cs unlockVolume 2F227AED-1398-42F8-804D-882199ABA66B -recoveryKeychain /Volumes/ThumbDrive/FileVaultMaster.keychain

  10. Enter the master password to unlock the keychain and mount the startup disk.
  11. You can now use command-line tools such as ditto to back up the data on the disk, or quit Terminal and use Disk Utility.
Published Date: