Rotating the FileVault 2 Master Password
If you want to use FileVault 2 with FileVaultMaster.keychain as a managed recovery key, the issue of regularly changing your institution’s Master Password may come up if your worksite mandates password rotation. Since the Master Password’s sole function is to act as the password used to unlock the FileVaultMaster.keychain, this should be relatively straightforward. As long as the public key on your Macs and the private and public keys in your escrowed FileVaultMaster.keychain stay the same, the password to unlock FileVaultMaster.keychain can be updated as often as needed.
There’s two strategies you can use here:
1. You can change the password on a copy of your institution’s FileVaultMaster.keychain and push the updated FileVaultMaster.keychain to /Library/Keychains on your Macs – In my opinion, this is probably the most secure way to do this because you’re replacing one encrypted file with another encrypted file, without revealing in transit what the new password is. The main danger would be an incomplete or corrupted copy of the keychain file somehow being pushed to the machines.
2. You can use the security command to update the existing FileVaultMaster.keychain on the machines – In this case, you’re using the security command’s keychain password functionality to update the password used to unlock /Library/Keychains/FileVaultMaster.keychain from a known old password to a known new password. You would need to use sudo, or run it as root, as the FileVault keychain should be owned and writable only by root. Here’s the command to use (command should be all on one line):
sudo security set-keychain-password -o old_master_password -p new_master_password /Library/Keychains/FileVaultMaster.keychain
The main security concern here would be that the passwords referenced in the command would be sent in the clear, and all sudo-using commands will show up in /var/log/system.log. Running the commands as the root user without using sudo would mean that the command should not show up in /var/log/system.log, but it may show up in the root user’s history.