Creating a Institutional FileVault Recovery Key on Mac OS X
At some point as an administrator you’ll be faced with the scenario whereby you’ll need to gain institutional access to a Mac, you’ll need to create what’s known as a Institutional Recovery Key.
Beware that creating the FileVault Institutional Key is kind of like creating the keys to the kingdom, so keep it safe at all costs!
So to create a Institutional FileVault Recovery Key, you’ll need to do the following:
- Open, Terminal
- Next, you’ll need to create a new FileVaultMaster Keychain, use the following command:
sudo security create-filevaultmaster-keychain /Library/Keychains/FileVaultMaster.keychain
- When prompted for a new password, enter a new password and remember this password!
- Next, you’ll need to unlock the newly created FileVaultMaster Keychain, use the following command:
security unlock-keychain /Library/Keychains/FileVaultMaster.keychain
- When prompted for password to unlock Keychain, enter password set in the step above
- Open, Keychain Access
- From, the Menu click, File > Add Keychain and add the FileVaultMaster.keychain located in /Library/Keychains/
- Now you’ll see the FileVaultMaster option in Keychain Access, now click on the Certificate and from the Menu bar click, File > Export Items
- Name the file accordingly and save it on a accessible location, i.e. Desktop
- Quit, Keychain Access
- Make a copy of the FileVaultMaster.keychain file located in /Library/Keychains/ in a secure location
- Ensure you back this up in secure multiple locations, “Just in Case”
You have now set up an Institutional Recovery to allow the decryption on Mac’s encrypted with the Private Key.
Let me know how you guy’s get on in creating this, my next post will go through configuring your Institutional Recovery Key in JAMF Casper Suite and how to set a policy to FileVault a machine with this specific key.
Let me know how you guy’s get on with creating your key, if you need any help drop me a note below.