Home > Apple File System, FileVault 2 > Unlocking or decrypting using an institutional recovery key does not work with encrypted APFS boot drives on macOS High Sierra 10.13.0

Unlocking or decrypting using an institutional recovery key does not work with encrypted APFS boot drives on macOS High Sierra 10.13.0

October 10, 2017 Leave a comment Go to comments

As part of Apple’s FileVault 2 encryption, Apple has provided for the use of recovery keys. These keys are a backup method to unlock FileVault 2’s encryption in the event that the usual method of logging using a user’s account password is not available.

There are two main types of recovery keys available:

1. Personal recovery keys (PRK) – These are recovery keys that are automatically generated at the time of encryption. These keys are generated as an alphanumeric string and are unique to the machine being encrypted. In the event that an encrypted Mac is decrypted and then re-encrypted, the existing personal recovery key would be invalidated and a new personal recovery key would be created as part of the encryption process.

Screen Shot 2017 10 10 at 5 24 11 PM

2. Institutional recovery keys (IRK) – These are pre-made recovery keys that can be installed on a system prior to encryption and most often used by a company, school or institution to have one common recovery key that can unlock their managed encrypted systems.

Screen Shot 2017 10 10 at 12 48 16 PM

This recovery key model has continued to be used on Apple File System (APFS), starting with macOS High Sierra 10.13.0, with one important difference:

  • You can encrypt an APFS boot drive using an IRK.
  • You cannot unlock or decrypt an encrypted APFS boot drive using an IRK.

 

Update 11-3-2017: This has been fixed in macOS 10.13.1. For information on how to unlock and decrypt an encrypted APFS boot drive using an IRK, please see the link below:

Unlock or decrypt an encrypted APFS boot drive from the command line

 

For more details, see below the jump.

The issue appears to be that a necessary function has not been added to the diskutil command line tool. For FileVault 2 on macOS Sierra and earlier, the command to unlock using an IRK is shown below:

diskutil cs unlockVolume -recoverykeychain /path/to/filename_goes_here.keychain

This command uses diskutil‘s CoreStorage functions, which do not apply to Apple File System. Meanwhile, there is not an equivalent command available for diskutil’s Apple File System’s functions. If there was, it should look something like this:

diskutil apfs unlockVolume -recoverykeychain /path/to/filename_goes_here.keychain

An encrypted volume must be unlocked before it can be decrypted, so without the ability to unlock using an IRK, you cannot decrypt using an IRK.

I’ve opened a ticket with Apple Enterprise support for this issue; hopefully a fix is available in a future OS update.

Categories: Apple File System, FileVault 2
  1. Samuel Litt
    October 11, 2017 at 2:58 pm
    Reply

    I think the hint was that there is no ability to set a Master Password in macOS X v10.13.

  2. David G
    October 11, 2017 at 6:57 pm
    Reply

    On the topic, has there been any word on adding a user to FV using fdesetup enable -inputplist? From the looks of it this no longer works on APFS volumes.

  3. Thomas Tempelmann
    October 13, 2017 at 8:52 am
    Reply

    I believe APFS encryption has to be done in the APFS FS driver, whereas CS did this on the _disk_ level (that’s because APFS manages multiple volumes and the metadata for them, which needs to be partially unencrypted even if single vols in it are encrypted). Meaning that the APFS driver has to do extra stuff other FS drivers didn’t have to before. I could imagine that this extra workload is not easy on the developer team.

  4. Kunzang
    October 19, 2017 at 7:09 am
    Reply

    what is wrong with MacOS High Sierra? After upgrading to this OX my machine shuts down by itself and can’t start after 4-10 hours

  5. Kunzang
    October 19, 2017 at 7:11 am
    Reply

    is there any way I can find out why Mac running OS High Sierra shuts down and can’t restart? I have done AHT and there is nothing wrong. Done Disk Utility check and seen nothing

  6. James Reynolds
    June 27, 2019 at 4:26 pm
    Reply

    Is this still true in 10.14?

  7. joerg
    July 29, 2020 at 12:05 pm
    Reply

    I am trying to test accessing an encrypted drive with only Institutional recovery keys (IRK).
    That does not seem to be possible any more with Catalina? I tried with a T2 equipped MacBook Pro but also with a Catalina VM.
    When I hold cmd+R and boot into Recovery Mode I am first presented with a screen showing the machine’s admin users and need to enter one of their passwords. Or I can click on “forgot all passwords” but then it asks me for a personal recovery key or an iCloud Account.
    Am I doing something wrong or are IRKs not really supported anymore?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: