Home > FileVault 2, Mac administration, Mac OS X, macOS > Using FileVault 2 recovery keys on FileVault 2-encrypted Macs to provide access for local admins

Using FileVault 2 recovery keys on FileVault 2-encrypted Macs to provide access for local admins

It can be difficult to provide consistent access for Mac admins when using a local admin account on FileVault 2-encrypted Macs, due to the way password changes are handled for FileVault 2-enabled accounts. The reason for the difficulty is that FileVault 2’s encryption doesn’t care about passwords, it only cares about encryption keys.

When an account on a particular Mac is enabled for FileVault 2, the account’s password is used to generate an key which can be used to unlock the encrypted Core Storage volume that FileVault 2 sets up on the Mac. When the password for the enabled account gets changed, the password and its associated key are updated by first requesting the previous password (and its associated key) to authenticate the change to the new password and associated key.

Assuming that the old password is provided as part of the password change process, no problem. However, if the old password is not provided as part of the password change process, the new password does not get an associated key to unlock FileVault 2 because the old password’s key was not invoked to authorize the change to a new key. The result of this is that the new password can be used to log into the OS and provide whatever password authorization duties are needed for the OS, but you still need the account’s old password to log into the Mac at the FileVault 2 login screen.

The usual fix for this situation is to run the following commands with root privileges:

1. Remove the user from the list of FileVault 2-enabled accounts

fdesetup remove -user username_goes_here

Figure 25 Using fdesetup remove with username


2. Add the user back to the list of FileVault 2-enabled accounts

fdesetup add -usertoadd username_goes_here

Figure 21 Using fdesetup add usertoadd to enable additional accounts


When the account is re-enabled using the fdesetup add -usertoadd command, a new key is set up for the user and the passwords are back in sync. However, there are two drawbacks to this approach if a Mac admin wants to automate this:

  • You need to provide the password in a non-encrypted format of the account being enabled.
  • You need to provide in a non-encrypted format either a recovery key or the password of another FV 2-enabled account on the Mac.

In short, the passwords and/or recovery key used to remove and re-enable the account in question need to be provided “in the clear”, where anyone successfully intercepting the passwords will be able to read them.

Fortunately, for those Mac admins who have a way to capture and escrow FileVault 2 personal recovery keys, there is an alternative to enabling the local admin account. For more details, see below the jump.

This approach relies on the encrypted Mac using an alphanumeric personal recovery key and the Mac admin having access to that personal recovery key.

Screen Shot 2017 02 22 at 9 56 13 AM

If both of those conditions are true, see below for a way to log into a local admin account without needing to have that account enabled for FileVault 2.

1. If needed, boot up the Mac.

2. Once the Mac has booted to the FileVault 2 login screen, select an account if needed.

3. When prompted for the account password, click the question mark icon.

Screen Shot 2017 02 23 at 4 46 15 PM

4. The next prompt will offer an option to reset the password using the recovery key. To access that, click the arrow icon.

Screen Shot 2017 02 23 at 4 46 33 PM

5. Enter the alphanumeric personal recovery key and hit the Return key on the keyboard.

Screen Shot 2017 02 23 at 4 41 28 PM

6. The FileVault 2-encrypted boot drive will unlock and boot to the OS login window.

7. At the OS login window, a Reset Password window will appear. Click the Cancel button to halt the password reset process.

Screen Shot 2017 02 23 at 4 42 58 PM

8. Log into the Mac using the desired local admin account.

Screen Shot 2017 02 23 at 4 43 45 PM

Screen Shot 2017 02 23 at 4 44 45 PM

Note: Once a personal recovery key is used to log into a Mac, I recommend replacing it by rotating to a new personal recovery key. For those interested in automating this, my colleague John Kitzmiller has documented how to set up an automated recovery key rotation process using Casper. His post is available via the link below:

https://www.johnkitzmiller.com/blog/automatically-re-issue-individual-filevault-2-recovery-keys-after-single-use-with-the-casper-suite/

  1. Josh
    February 24, 2017 at 2:40 pm

    Good Read. I wish there was a way to stop the reset password prompt from appearing after using the recovery key to unlock FileVault, so far I haven’t found a way.

    As far as removing and adding the user again like you mentioned at the beginning of the article, that is the process I use to reset the password the user will enter at the FileVault screen but I have it set up in Casper like this:

    1. Create a new local account (non-admin) via a package I created
    2. Delete the current local account used to unlock FileVault
    3. Enable the management account for FileVault
    4. Use a script I wrote to prompt the user to enter a new password which then gets set to the new local account created in step 1, then adds the user to the list of FileVault users via a plist written to the /tmp directory

    After that policy is completed, I have it call another policy which reissues the recovery key since it was used to gain access, update the inventory and finally disable the management account for FileVault.

    I have it setup to go between userA and userB, which both have the same Full Name and icon to make it look like a simple password reset to the user.

    The policy is available in Self Service to make it easy for the user / tech to reset. The only thing I am working on figuring out is having that policy run automatically if the recovery key was used to unlock the drive. Thank you for the link on that!!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: