Home > FileVault 2, Mac administration, Mac OS X, Scripting > Identifying FileVault 2 institutional recovery keys on OS X El Capitan

Identifying FileVault 2 institutional recovery keys on OS X El Capitan

On OS X 10.9.0 – 10.11.x, you can run the following command to verify if a FileVault 2-encrypted Mac is using an institutional recovery key (IRK) as a valid recovery key.

fdesetup hasinstitutionalrecoverykey

If FileVault 2 is using an IRK, this command will return true.

Screen Shot 2016 04 10 at 4 20 04 PM

Otherwise it will return false.

Screen Shot 2016 04 10 at 4 03 57 PM

As part of the release of OS X 10.11.2, a new function was added to fdesetup‘s hasinstitutionalrecoverykey verb. Now, in addition to identifying whether or not FileVault 2 on a particular Mac has an institutional recovery key, a new -device option has been added which outputs a SHA-1 hash in hexadecimal notation of the IRK’s public key. This helps Mac admins answer two questions about institutional recovery keys:

  1. Is an IRK being used as a valid recovery key on this Mac?
  2. If an IRK is in use, which one is being used?

The -device option needs to be supplied with an identifier for the encrypted drive in question. This can be in the form of a BSD device name ( /dev/diskX ), the mount path ( /Volumes/Macintosh HD or ), or a UUID for the Logical Volume or Logical Volume Family of a CoreStorage volume.

To display the hash for an IRK’s public key on the Mac’s boot volume, run the command below with root privileges:

fdesetup hasinstitutionalrecoverykey -device /

It should output the hash of the IRK’s public key in hexadecimal notation.

Screen Shot 2016 04 10 at 4 19 21 PM

This value should be consistent across all FileVault 2-encrypted Macs which are using this IRK, so it should help Mac admins identify if a particular Mac is set up with the correct FileVault 2 institutional recovery key (or keys) used by their shop.

To assist with this, I’ve written a script to report the hash of the IRK’s public key. For more details, see below the jump.

The script is designed to check the OS on a particular Mac and verify that it’s running 10.11.2 or later. If the Mac is running an earlier OS, the script reports the following:

Not Available – Unable To Export IRK Public Key Hash On, followed by the OS version.

If the script verifies that it is running on 10.11.2 or later, the script continues on to see if the Mac is encrypted and if it is using an IRK as a valid recovery key.

If the Mac is not encrypted, the script reports the following:

Not Available – Encryption Not Enabled

If the Mac is encrypted but is not using an IRK, the script reports the following:

Not Available – Valid IRK Not Found

If the Mac is encrypted and an IRK is in use as a valid recovery key on the Mac’s boot volume, the script reports the hash of the IRK’s public key in hexadecimal notation.

The script is available on GitHub at the following address:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/report_IRK_public_key_hash

A Casper Extension Attribute is also available on GitHub at the following address:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attributes/report_IRK_public_key_hash

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: