OS X: How to create and deploy a recovery key for FileVault 2

Learn how to create and deploy a recovery key for use with FileVault 2 in order to recover encrypted data after a lost user password, in this advanced article.

Use the steps below to create a master password, delete the private key, distribute the updated FileVaultMaster.keychain to clients and then recover encrypted data after a lost user password. 

Create a master password

  1. Open System Preferences and select the Users & Groups preference pane.
  2. If locked, click the lock icon to authenticate.
  3. Click the Services button and then select "Set Master Password…" from the pop-up menu.
  4. Create a master password using the sheet that appears. You can use the Password Assistant to help you create a strong password. Once set, the following files are created:
    • /Library/Keychains/FileVaultMaster.cer
    • /Library/Keychains/FileVaultMaster.keychain
  5. Copy the /Library/Keychains/FileVaultMaster.keychain file to a safe location for storage, such as an external drive or an encrypted disk image on another physical disk. This file contains the private key required to unlock the encrypted disc. You can safely delete the /Library/Keychains/FileVaultMaster.cer file.

Delete the private key

  1. Double-click /Library/Keychains/FileVaultMaster.keychain in the Finder to open the keychain with Keychain Access.
  2. In Keychain Access, select FileVaultMaster from the list of keychains on the left.
  3. Delete the "FileVault Master Password Key" by highlighting it and then pressing the Delete key on your keyboard. Click Delete in the resulting dialog.
  4. Quit Keychain Access.
  5. Copy the updated /Library/Keychains/FileVaultMaster.keychain file to another location. This file can be distributed to clients to be used by FileVault.

Distribute FileVaultMaster.keychain

Using your preferred method of distribution, copy and install the FileVaultMaster.keychain file into /Library/Keychains/ on client computers. Make sure the ownership and permissions are correct, for example:

-rw-r--r-- 1 root wheel 23540 Dec 7 13:55 /Library/Keychains/FileVaultMaster.keychain

If necessary, the following commands will configure the correct ownership and permissions, respectively:

sudo chown root:wheel /Library/Keychains/FileVaultMaster.keychain

sudo chmod 644 /Library/Keychains/FileVaultMaster.keychain

Enabling FileVault 2

When turning on FileVault 2 in System Preferences, an alert appears informing the user that a recovery key has been set by their company, school, or institution.


If a user forgets their password, and a recovery key was installed before FileVault 2 was turned on, you can use the following steps to unlock an encrypted disk. Note: This procedure only works when the computer is started from OS X Recovery.

  1. Restart the client while holding the Command and R keys.
  2. Connect an external drive containing the FileVaultMaster.keychain file with the private key.
  3. From the Utilities menu, select Terminal.
  4. If the keychain containing the private key is stored in an encrypted disk image, use the following command to mount it:

    hdiutil attach /path/to/diskImage

  5. Use the following command to unlock the FileVaultMaster.keychain file; be sure to insert the correct path to your keychain file:

    security unlock-keychain <path to Keychain File>

    For example, on a volume named ThumbDrive:

    security unlock-keychain /Volumes/ThumbDrive/FileVaultMaster.keychain

  6. Enter the master password to unlock the keychain. If the password is accepted the command prompt will return.
  7. Use the following command to list the drives and corestorage volumes:

    diskutil cs list

  8. Look for the UUID of Logical Volume, usually the last in the list. Select and copy the UUID for the next command step.
  9. Use the following command to unlock the encrypted disk. Be sure to insert the UUID from the previous step, and the correct path to the keychain file:
    diskutil cs unlockVolume <UUID> -recoveryKeychain <path to Keychain File>
    For example, you'd use this command if there was a UUID of 2F227AED-1398-42F8-804D-882199ABA66B on a volume named ThumbDrive:
    diskutil cs unlockVolume 2F227AED-1398-42F8-804D-882199ABA66B -recoveryKeychain /Volumes/ThumbDrive/FileVaultMaster.keychain
  10. Enter the master password to unlock the keychain. The volume will be mounted. You can now back up data using Disk Utility, or by using command line tools such as ditto.

Learn more

See also OS X: About FileVault 2.

Last Modified: