Managing FileVault in macOS
On devices with macOS, organizations can manage FileVault using SecureToken or Bootstrap Token.
Using Secure Token
Apple File System (APFS) in macOS 10.13 or later changes how FileVault encryption keys are generated. In previous versions of macOS on CoreStorage volumes, the keys used in the FileVault encryption process were created when a user or organization turned on FileVault on a Mac. On devices with macOS on APFS volumes, the keys are generated either during user creation, setting the first user’s password, or during the first login by a user of the Mac. This implementation of the encryption keys, when they’re generated, and how they’re stored are all part of a feature known as Secure Token. Specifically, a Secure Token is a wrapped version of a key encryption key (KEK) protected by a userʼs password.
When deploying FileVault on APFS, the user can continue to:
Use existing tools and processes, such as a personal recovery key (PRK) that can be stored with a device management service for escrow
Defer enablement of FileVault until a user logs into or out of the Mac
Create and use an institutional recovery key (IRK)
In macOS 11, setting the initial password for the very first user on the Mac results in that user being granted a Secure Token. In some workflows, that may not be the desired behavior, as previously, granting the first Secure Token would have required the user account to log in. To prevent this from happening, add ;DisabledTags;SecureToken to the programmatically created user’s AuthenticationAuthority attribute prior to setting the user’s password, as shown below:
sudo dscl . append /Users/<user name> AuthenticationAuthority ";DisabledTags;SecureToken"Using Bootstrap Token
macOS 10.15 introduced the Bootstrap Token to help with granting a Secure Token to both mobile accounts and the optional device enrollment-created administrator account (“managed administrator”). Using the Bootstrap Token feature of macOS 10.15 or later requires:
Mac enrollment in a device management service using Apple School Manager or Apple Business Manager, which makes the Mac supervised
Device management service developer support
In macOS 10.15.4 or later, a Bootstrap Token is generated and escrowed to a device management service on the first login by any user who is Secure Token–enabled if the device management service supports the feature. A Bootstrap Token can also be generated and escrowed to a device management service using the profiles command-line tool, if needed.
In macOS 11 or later, a Bootstrap Token:
Can grant a Secure Token to any user logging in to a Mac computer, including local user accounts.
On a Mac with Apple silicon, a Bootstrap Token can be used to authorize the installation of both kernel extensions and software updates when managed using a device management service.
Institutional versus personal recovery keys
FileVault on both CoreStorage and APFS volumes supports using an institutional recovery key (IRK, previously known as a FileVault Master identity) to unlock the volume. Though an IRK is useful for command-line operations to unlock a volume or turn off FileVault altogether, its utility for organizations is limited, especially in recent versions of macOS. And on a Mac with Apple silicon, IRKs provide no functional value for two primary reasons: IRKs can’t be used to access recoveryOS, and because target disk mode is no longer supported, the volume can’t be unlocked by connecting it to another Mac.
Important: For those reasons and more, the use of an IRK is no longer recommended for institutional management of FileVault on Mac computers. Instead, a personal recovery key (PRK) should be used.
Unlock FileVault using SSH
On a Mac with Apple silicon with macOS 26 or later, FileVault can be unlocked over SSH after a restart if Remote Login is turned on and a network connection is available.