Creating FileVaultMaster.keychain from the command line
In FileVault 2, if you want to set a recovery key on multiple machines, you need to create and configure a FileVaultMaster keychain. Prior to 10.7.2, this was a process that you could only perform in the GUI. 10.7.2 introduces a way to create this keychain using the security command.
To create a FileVaultMaster.keychain, run the following command:
security create-filevaultmaster-keychain /path/to/FileVaultMaster.keychain
(If you want to create the FileVaultMaster keychain in its proper place, use /Library/Keychains for the destination path.)
You’ll be prompted for a password for the keychain. Use the password that you’ll be setting as your Master Password here. At this point, the keychain will contain both the private and public keys needed for FileVault recovery. Make copies of the keychain and store them in a safe place.
Once you’ve made your copies, make another copy and remove the private key from that copy of the keychain. Once the private key is removed, the FileVaultMaster.keychain is ready to be used for encrypting Macs with FileVault 2.
It doesn’t appear that the security man page has been updated with information about this new option, but you can see what it does by running security help and checking at the bottom of the list that appears.
Leave a comment
Recent Comments
 | Ben LeRoy on Losing a giant |
 | Peter-Erik on Downloading installer packages… |
 | nathanhaggard on Losing a giant |
 | andras0602 on Disabling login window clock d… |
 | Jeff on Losing a giant |
Der Flounder 
I’m trying to script a way of creating unique FileVaultMaster.keychain for each machine based on certain prompted parameters and this has proved very helpful.
As a follow on question, with the modified FileVaultMaster.keychain in place does the Master Password still need to be set on the system to be encrypted?