Home > FileVault 2, Mac administration, Mac OS X > Removing all recovery keys from a FileVault 2-encrypted Mavericks Mac

Removing all recovery keys from a FileVault 2-encrypted Mavericks Mac

One of the functions added to the fdesetup tool on 10.9 is removerecovery. This function removes the current recovery key(s) from a FileVault 2-encrypted Mac and can be used to remove with the personal and/or institutional recovery keys from a Mac.

One interesting aspect of this is that this function can be used to remove all recovery keys from a FileVault 2-encrypted Mac running Mavericks. Once the recovery keys have been removed from your Mac, only FileVault 2-enabled accounts will be able to unlock or decrypt it. For more details, see below the jump.


Note: I do not advocate removing all recovery keys from your system. They’re designed as a fallback way to get into your machine in case of a problem.

To remove an existing personal recovery key, run the command below with root privileges:

fdesetup removerecovery -personal

You’ll be prompted for the password of an existing FileVault 2-enabled user or the existing personal recovery key. Once entered, the personal recovery key will be removed from the system.

Screen Shot 2014-03-24 at 12.26.09 PM

To remove an existing institutional key, run the command below with root privileges:

fdesetup removerecovery -institutional

You’ll be prompted for the password of an existing FileVault 2-enabled user. You can also use an existing personal recovery key if applicable.

Screen Shot 2014-03-24 at 12.25.33 PM

To double-check that the recovery keys have been removed, fdesetup has additional functions to tell you if a personal or institutional key is in use. To verify if the personal recovery key has been removed, run the command below with root privileges:

fdesetup haspersonalrecoverykey

If it returns false, the FileVault 2 encryption on this Mac does not currently have an associated personal recovery key.

Screen Shot 2014-03-24 at 12.27.43 PM

To verify if the institutional recovery key has been removed, run the command below with root privileges:

fdesetup hasinstitutionalrecoverykey

If it returns false, the FileVault 2 encryption on this Mac does not currently have an associated institutional recovery key.

Screen Shot 2014-03-24 at 12.26.18 PM

A FileVault 2-encrypted Mac without any associated recovery keys should return false to both commands.

Screen Shot 2014-03-24 at 12.27.34 PM

Another way to verify that all recovery keys have been removed is to look in the FileVault preference pane in System Preferences. If a personal recovery key is being used on a FileVault 2-encrypted Mac (either by itself, or in combination with the institutional key), the FileVault preference pane should display the following message:

A recovery key has been set.

Screen Shot 2014-03-24 at 1.12.54 AM

If an institutional key is being used as the sole recovery key, the FileVault preference pane should display the following message:

A recovery key has been set by your company, school or institution.

Screen Shot 2014-03-24 at 1.15.07 AM

If all recovery keys have been removed from the encrypted Mac, there should be no message displayed in the FileVault preference pane.

Screen Shot 2014-03-24 at 1.16.26 AM

  1. March 25, 2014 at 12:28 am

    You rock, it seems whenever we run into a FV2 issue, you post a fix the next day! :D

  2. March 26, 2014 at 8:41 am

    Interesting feature. Certainly a risky option though!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 151 other followers

%d bloggers like this: