Home > Apple File System, FileVault 2 > Unlocking or decrypting using an institutional recovery key does not work with encrypted APFS boot drives on macOS High Sierra 10.13.0

Unlocking or decrypting using an institutional recovery key does not work with encrypted APFS boot drives on macOS High Sierra 10.13.0

As part of Apple’s FileVault 2 encryption, Apple has provided for the use of recovery keys. These keys are a backup method to unlock FileVault 2’s encryption in the event that the usual method of logging using a user’s account password is not available.

There are two main types of recovery keys available:

1. Personal recovery keys (PRK) – These are recovery keys that are automatically generated at the time of encryption. These keys are generated as an alphanumeric string and are unique to the machine being encrypted. In the event that an encrypted Mac is decrypted and then re-encrypted, the existing personal recovery key would be invalidated and a new personal recovery key would be created as part of the encryption process.

Screen Shot 2017 10 10 at 5 24 11 PM

2. Institutional recovery keys (IRK) – These are pre-made recovery keys that can be installed on a system prior to encryption and most often used by a company, school or institution to have one common recovery key that can unlock their managed encrypted systems.

Screen Shot 2017 10 10 at 12 48 16 PM

This recovery key model has continued to be used on Apple File System (APFS), starting with macOS High Sierra 10.13.0, with one important difference:

  • You can encrypt an APFS boot drive using an IRK. 
  • You cannot unlock or decrypt an encrypted APFS boot drive using an IRK.

For more details, see below the jump.

The issue appears to be that a necessary function has not been added to the diskutil command line tool. For FileVault 2 on macOS Sierra and earlier, the command to unlock using an IRK is shown below:

diskutil cs unlockVolume -recoverykeychain /path/to/filename_goes_here.keychain

This command uses diskutil‘s CoreStorage functions, which do not apply to Apple File System. Meanwhile, there is not an equivalent command available for diskutil’s Apple File System’s functions. If there was, it should look something like this:

diskutil apfs unlockVolume -recoverykeychain /path/to/filename_goes_here.keychain

An encrypted volume must be unlocked before it can be decrypted, so without the ability to unlock using an IRK, you cannot decrypt using an IRK.

I’ve opened a ticket with Apple Enterprise support for this issue; hopefully a fix is available in a future OS update.

  1. Samuel Litt
    October 11, 2017 at 2:58 pm

    I think the hint was that there is no ability to set a Master Password in macOS X v10.13.

  2. David G
    October 11, 2017 at 6:57 pm

    On the topic, has there been any word on adding a user to FV using fdesetup enable -inputplist? From the looks of it this no longer works on APFS volumes.

  3. October 13, 2017 at 8:52 am

    I believe APFS encryption has to be done in the APFS FS driver, whereas CS did this on the _disk_ level (that’s because APFS manages multiple volumes and the metadata for them, which needs to be partially unencrypted even if single vols in it are encrypted). Meaning that the APFS driver has to do extra stuff other FS drivers didn’t have to before. I could imagine that this extra workload is not easy on the developer team.

  4. October 19, 2017 at 7:09 am

    what is wrong with MacOS High Sierra? After upgrading to this OX my machine shuts down by itself and can’t start after 4-10 hours

  5. October 19, 2017 at 7:11 am

    is there any way I can find out why Mac running OS High Sierra shuts down and can’t restart? I have done AHT and there is nothing wrong. Done Disk Utility check and seen nothing

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: