Home > FileVault 2, Mac administration, Mac OS X > Using a FileVault 2 institutional recovery key in Mavericks to generate an individual recovery key

Using a FileVault 2 institutional recovery key in Mavericks to generate an individual recovery key

A change that occurred between Mountain Lion and Mavericks is that it’s no longer possible to add additional users with fdesetup by using a non-enabled admin user’s credentials. Instead, you must use either a previously-enabled user’s credentials or use a personal recovery key (aka an individual recovery key) to authorize adding a user account with fdesetup add.

The recovery key option is specifically for the personal recovery key; there is not an option in fdesetup add to use the institutional recovery recovery. This is an issue for IT shops that are using fdesetup enable with the -defer option in combination with an institutional recovery key because the Mavericks way to authorize additional accounts depends on an enabled user’s password (which in this case would be an end-user’s password) or a personal recovery key (which doesn’t exist.)

There is a way to fix this in a roundabout way, by leveraging the ability of fdesetup in Mavericks to generate a new personal recovery key using fdesetup changerecovery. fdesetup changerecovery allows the use of an institutional recovery keychain to authorize the generation of a new personal recovery key. To do this, run the following command:

sudo fdesetup changerecovery -personal -key /path/to/keychain_with_both_private_and_public_recovery_keys_inside.keychain

Screen Shot 2013-12-20 at 1.45.27 PM

You’ll be prompted for the password to unlock the institutional recovery keychain. Once that password is provided, a new personal recovery key will be generated.

To verify that this new recovery key is valid, run the following command:

sudo fdesetup validaterecovery

If the new personal recovery key is valid, you should receive a result of “true”.

Screen Shot 2013-12-20 at 1.46.22 PM

fdesetup can also export the recovery key to a plist file by using the -outputplist flag. To generate a new personal recovery key and have it exported to a plist, run the following command:

sudo fdesetup changerecovery -personal -key /path/to/FileVaultMaster.keychain -outputplist > /path/to/new_recovery_key.plist

Screen Shot 2013-12-20 at 1.52.01 PM

The plist should contain information similar to what’s shown below and include the new personal recovery key information in the RecoveryKey plist value.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Change</key>
	<true/>
	<key>EnabledDate</key>
	<string>2013-12-20 13:51:58 -0500</string>
	<key>HardwareUUID</key>
	<string>00000000-0000-1000-8000-000C2991B2C4</string>
	<key>HasMasterKeychain</key>
	<true/>
	<key>RecoveryKey</key>
	<string>MLZA-NZTC-MVLM-O82Q-Y8TW-F8FX</string>
	<key>SerialNumber</key>
	<string>VM401BlpPKGn</string>
</dict>
</plist>

fdesetup changerecovery doesn’t currently include a way to utilize the institutional recovery keychain without requiring a password to be entered, but it is possible to automate the password entry process using an expect script or other means. As an example, I’ve written an expect script which automates running the fdesetup changerecovery process described above to generate a new personal recovery key and export it to a plist.

  1. Tim Kimpton
    February 6, 2014 at 4:01 pm

    Hi Rich

    Do you think its possible to use an expect script to disable File Vault 2?

    • February 7, 2014 at 5:51 pm

      Sure, you should be able to use an expect script for this. See below for an example:

      #!/usr/bin/expect
      
      log_user 0
      set password s3kr1tp4ssw0rd
      spawn fdesetup disable
      expect "'/': "
      send "$password\n"
      expect EOF
      
  2. Tim Kimpton
    February 10, 2014 at 10:00 am

    unfortunately when trying to run this script on 10.9 i get this error

    log_user: command not found
    test2.sh: line 5: spawn: command not found
    couldn’t read file “‘/’: “: no such file or directory
    test2.sh: line 7: send: command not found
    couldn’t read file “EOF”: no such file or directory

    • Tim Kimpton
      February 10, 2014 at 10:24 am

      my mistake, thanks Rich it works :)

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 143 other followers

%d bloggers like this: