Configure a FileVault setting in Apple Business Essentials
FileVault is a built-in encryption capability to secure all data at rest, and you can enforce the use of FileVault to secure information on a Mac.
FileVault encrypts the data on a Mac so that unauthorized users can’t access any information without a user’s password. If a user forgets their password or is unavailable and you must gain access to the Mac, you can use a special key, called a recovery key, in place of the user’s password. Before the FileVault setting can be applied to Mac computers, you must upload a certificate that is used to encrypt the recovery key stored for each Mac. The encrypted recovery keys are stored in—and accessible by—any user with the role of Administrator in Apple Business Essentials.
After FileVault is turned on for a Mac, a user’s credentials are required during the start up process. FileVault, along with Mac computer’s hardware security, helps achieve four main goals:
Requires a user’s password for decryption
Protects the operating system from a brute-force attack directly against storage media removed from Mac
Provides a swift and secure method for wiping content via deletion of necessary cryptographic material
Enables users to change their password (and in turn the cryptographic keys used to protect their files) without requiring re-encryption of the entire volume
Apple Business Essentials uses asymmetric encryption to help ensure the privacy of your FileVault recovery keys and encrypts each device’s recovery key using an encryption certificate you generate. After you generate the certificate you must upload it to Apple Business Essentials.
An encryption certificate and its private key are a matching pair. When a new encryption certificate is generated, only the private key generated with it will work to decrypt the recovery keys it is used to encrypt. If there are other Administrators on your team who need access to recovery keys stored in Apple Business Essentials, try using a password manager to securely store and share the private key needed to decrypt them. If you generate a new pair and upload its encryption certificate, the previous one will cease to be used to encrypt new recovery keys. However, the previous private key will still be necessary to decrypt recovery keys that were encrypted with its matching certificate.
Note: If you choose to create your own encryption certificate instead of using the task below to create one, the file must be a PEM-encoded certificate with a RSA public key of at least 2048 bits.
Create an encryption certificate
The ID generated in the names will match, and serves to help distinguish which private key matches which certificate, should you create more than one.
On the Mac, launch the Terminal app
, paste in the text below, then press Return.(ID=$(LC_ALL=C tr -dc A-Z0-9 </dev/urandom | head -c 8)openssl req -newkey rsa:2048 -nodes \-keyout ~/Documents/FileVaultKeyEncryptionPrivateKey_$ID.pem \-x509 -days 36500 \-subj "/CN=FileVault Key Encryption Cert ($ID)" \-out ~/Documents/FileVaultKeyEncryptionCert_$ID.pem)Those commands generate two files in your Documents folder. Open it and verify that it now contains:
An encryption certificate: in a file named FileVaultKeyEncryptionCert_[id].pem
An RSA private key: in a file named FileVaultKeyEncryptionPrivateKey_[id].pem
Important: Keep each RSA private key safe. If you lose a private key file, you won’t be able to decrypt the recovery keys encrypted by its certificate and therefore won’t be able to use those recovery keys to unlock their corresponding devices if a user loses their password.
Upload an encryption certificate
In Apple Business Essentials, sign in with a user that has the role of Administrator.
Select your name at the bottom of the sidebar, select Preferences
, then select Apple Business Essentials under Your MDM Servers.Select the FileVault tab, select Upload File and select the FileVaultKeyEncryptionCert_[id].pem file created above, then select Upload.
If a FileVault configuration was assigned to users or devices through a Collection before your first encryption certificate was uploaded, the configuration will now apply to all assigned users and devices.
Replace an encryption certificate
Important: Encryption certificates encrypt only recovery keys stored in Apple Businesses Essentials after the certificate is uploaded. Previously encrypted recovery keys aren’t reencrypted with the new encryption certificate.
In Apple Business Essentials, sign in with a user that has the role of Administrator.
Select your name at the bottom of the sidebar, select Preferences
, then select Apple Business Essentials under Your MDM Servers.Select on the FileVault tab, select Replace Certificate and select the new encryption certificate file you want to use, then select Upload.
Download a FileVault recovery key for a single device
To provide you with the most security, your FileVault recovery keys aren’t visible to Apple Business Essentials. To view recovery keys, you must first download the encrypted recovery key.
To download the recovery key for a single device encrypted with FileVault through Apple Business Essentials:
In Apple Business Essentials, sign in with a user that has the role of Administrator.
Select Devices
in the sidebar, then search for a device in the search field. See How to search.Select the device, scroll to the FileVault section, then select Download Key.
A .csv file named FileVaultRecoveryKeysEncrypted.csv is downloaded to your computer. It contains your encrypted key, along with the corresponding device and encryption certificate.
Note: If a device has already been encrypted with FileVault before to the assignment of FileVault in Apple Business Essentials, the recovery key won’t be visible on the device’s page until the recovery key is rotated.
Rotate a recovery key and make it visible
In Apple Business Essentials, sign in with a user that has the role of Administrator.
On the Mac, launch the Terminal app
, then paste in the following:sudo /usr/bin/fdesetup changerecovery -personalWhen prompted, enter the password of the locally signed in administrator to run the command (the password won’t be visible).
When prompted again, enter the locally signed in administrator user name and password a second time.
When the process is complete, the Mac has a new recovery key available in Apple Business Essentials.
Download FileVault recovery keys for all devices
To download the recovery keys for all devices encrypted with FileVault through Apple Business Essentials:
In Apple Business Essentials, sign in with a user that has the role of Administrator.
Select your name at the bottom of the sidebar, select Preferences
, then select Apple Business Essentials under Your MDM Servers.Select the FileVault tab, then select Download Recovery Keys.
A .csv file named FileVaultRecoveryKeysEncrypted.csv is downloaded to your computer. It contains all of your encrypted keys, along with the corresponding device and encryption certificate.
View a FileVault recovery key
You view a FileVault recover key by decrypting it from the downloaded .csv file.
Open FileVaultRecoveryKeysEncrypted.csv.
Locate the row with the serial number of the device for which you want the recovery key. Copy the second cell of that row, which is in a column named “Encrypted Recovery Key.” The cell should contain contents that look like random text.
Open TextEdit and create a new plain text file.
You may need to press Shift-Command-T if your TextEdit defaults to rich text files. Paste the cell copied above and save the file in the folder which contains your private key that pairs with your encryption certificate.
On the Mac, launch the Terminal app
, navigate to the folder containing the new text file and private key, and paste the commands below. Replace YourTextFile and YourPrivateKey with your respective file names, then press Return.base64 --decode -i YourTextFile.txt |\openssl smime -decrypt -inform der -inkey YourPrivateKey.pem \-out FileVaultRecoveryKey.txtYour decrypted recovery key is written to a file named FileVaultRecoveryKey.txt in the same folder as your private key.