Identifying FileVault 2 institutional recovery keys on OS X El Capitan
On OS X 10.9.0 – 10.11.x, you can run the following command to verify if a FileVault 2-encrypted Mac is using an institutional recovery key (IRK) as a valid recovery key.
If FileVault 2 is using an IRK, this command will return true.
Otherwise it will return false.
As part of the release of OS X 10.11.2, a new function was added to fdesetup‘s hasinstitutionalrecoverykey verb. Now, in addition to identifying whether or not FileVault 2 on a particular Mac has an institutional recovery key, a new -device option has been added which outputs a SHA-1 hash in hexadecimal notation of the IRK’s public key. This helps Mac admins answer two questions about institutional recovery keys:
- Is an IRK being used as a valid recovery key on this Mac?
- If an IRK is in use, which one is being used?
The -device option needs to be supplied with an identifier for the encrypted drive in question. This can be in the form of a BSD device name ( /dev/diskX ), the mount path ( /Volumes/Macintosh HD or / ), or a UUID for the Logical Volume or Logical Volume Family of a CoreStorage volume.
To display the hash for an IRK’s public key on the Mac’s boot volume, run the command below with root privileges:
fdesetup hasinstitutionalrecoverykey -device /
It should output the hash of the IRK’s public key in hexadecimal notation.
This value should be consistent across all FileVault 2-encrypted Macs which are using this IRK, so it should help Mac admins identify if a particular Mac is set up with the correct FileVault 2 institutional recovery key (or keys) used by their shop.
To assist with this, I’ve written a script to report the hash of the IRK’s public key. For more details, see below the jump.
The script is designed to check the OS on a particular Mac and verify that it’s running 10.11.2 or later. If the Mac is running an earlier OS, the script reports the following:
Not Available – Unable To Export IRK Public Key Hash On, followed by the OS version.
If the script verifies that it is running on 10.11.2 or later, the script continues on to see if the Mac is encrypted and if it is using an IRK as a valid recovery key.
If the Mac is not encrypted, the script reports the following:
Not Available – Encryption Not Enabled
If the Mac is encrypted but is not using an IRK, the script reports the following:
Not Available – Valid IRK Not Found
If the Mac is encrypted and an IRK is in use as a valid recovery key on the Mac’s boot volume, the script reports the hash of the IRK’s public key in hexadecimal notation.
The script is available on GitHub at the following address:
A Casper Extension Attribute is also available on GitHub at the following address: