Identifying FileVault 2 institutional recovery keys on OS X El Capitan
On OS X 10.9.0 – 10.11.x, you can run the following command to verify if a FileVault 2-encrypted Mac is using an institutional recovery key (IRK) as a valid recovery key.
fdesetup hasinstitutionalrecoverykey
If FileVault 2 is using an IRK, this command will return true.
Otherwise it will return false.
As part of the release of OS X 10.11.2, a new function was added to fdesetup‘s hasinstitutionalrecoverykey verb. Now, in addition to identifying whether or not FileVault 2 on a particular Mac has an institutional recovery key, a new -device option has been added which outputs a SHA-1 hash in hexadecimal notation of the IRK’s public key. This helps Mac admins answer two questions about institutional recovery keys:
- Is an IRK being used as a valid recovery key on this Mac?
- If an IRK is in use, which one is being used?
The -device option needs to be supplied with an identifier for the encrypted drive in question. This can be in the form of a BSD device name ( /dev/diskX ), the mount path ( /Volumes/Macintosh HD or / ), or a UUID for the Logical Volume or Logical Volume Family of a CoreStorage volume.
To display the hash for an IRK’s public key on the Mac’s boot volume, run the command below with root privileges:
fdesetup hasinstitutionalrecoverykey -device /
It should output the hash of the IRK’s public key in hexadecimal notation.
This value should be consistent across all FileVault 2-encrypted Macs which are using this IRK, so it should help Mac admins identify if a particular Mac is set up with the correct FileVault 2 institutional recovery key (or keys) used by their shop.
To assist with this, I’ve written a script to report the hash of the IRK’s public key. For more details, see below the jump.
Recent Comments