Set a FileVault recovery key for Mac computers in your institution

This article is based off Apple’s instructions for setting up an institutional recovery key.

Apple products are continuing to be pushed in the enterprise market. This means different expectations are placed on computers and devices compared with a consumer product. I want to show you to implement full disk encryption (FileVault) and then deploying this to our computers using an MDM solution. This process will be similar no matter what MDM you are using. For a common reference point, I will be using Profile Manager.

 I am starting on a random client computer.

1. Start by creating a master password and private recovery key on one of your Mac computers:

2. Open System Preferences and then click Users & Groups.

3. Click the Lock button and authenticate with an administrative name and password.

4. From the Actionpop-up menu, choose Set Master Password.

5. Enter and verify your master password, then click OK.

6. Open Finder and navigate to /Library/Keychains/

You will notice four files in the Keychains folder. The two to focus on are “FileVaultMaster.cer” and “FileVaultMaster.keychain”.

7. Copy the file at /Library/Keychains/FileVaultMaster.keychain to a safe location, such as an external drive or encrypted disk image on another physical disk. This FileVault master keychain contains the private FileVault recovery key. You can use this private key to unlock the startup disk of any Mac computer that uses your deployed FileVault master keychain. 

8. Unlock the Keychain we just created. Open Terminal and run the following command:

sudo security unlock-keychain /Library/Keychains/FileVaultMaster.keychain

The second prompt: “password to unlock /Library/Keychains/FileVaultMaster.keychain:” is the password you used as the Master password.

9. Double-click “FileVaultMaster.keychain” in Finder. This will open “Keychain Access”. It’s important that “FileVaultMaster” under “Keychains” is unlocked.

10. Select FileVaultMaster from the Keychains section of the sidebar.

11. Select FileVault Master Password Key from the list of keys. 

For demonstration purposes I have my server set-up as .local. In a production environment you will have a FQDN.

For demonstration purposes I have my server set-up as .local. In a production environment you will have a FQDN.

 

12. Press Delete, then click the Enter to confirm.

13. Double-click “FileVault Recovery Key”. Since the root certificate is not trusted then toggle the option next to “When using this certificate:” to “Always Trust”

The certificate is marked as trusted for all users

We have a trusted Recovery key.

14. Right-click “FileVault Recovery Key” and export the certificate. Choose a location that will be best for deploying via MDM.

For demonstration purposes I have my server set-up as .local. In a production environment you will have a FQDN.

For demonstration purposes I have my server set-up as .local. In a production environment you will have a FQDN.

15. Make a copy of the file at /Library/Keychains/FileVaultMaster.keychain, but don't replace the identically named private recovery key that you copied earlier. That private key is not for distribution.

If you are deploying manually or using something like Apple’s “Remote Desktop” follow the directions below:

Put the updated FileVaultMaster.keychain file in the /Library/Keychains/ folder of each Mac. The file's ownership and permissions should be -rw-r--r--, which you can set with these Terminal commands:

sudo chown root:wheel /Library/Keychains/FileVaultMaster.keychain

sudo chmod 644 /Library/Keychains/FileVaultMaster.keychain

Turn on FileVault on each Mac

After deploying the FileVault master keychain, turn on FileVault on each client Mac. 

 

I am going to deploy using MDM. For reference purposes, I am using Apple’s “Profile Manager”.

Note: You must be running the “Server” app and have enabled “Profile Manager”

16. In a web browser open mydomainname.com/profilemanager. Please use your own domain.

Also,”Device Management” will need to be enabled if you want to create a “Device Group” as I will be demonstrating.

 

In Profile Manager’s Web portal click “Device Groups” and create an applicable name.

17. Click “Settings” and then “Edit” to begin creating a profile.

 

18. Under “macOS and iOS” in the sidebar, click “Certificates”

19. Click to “Add Certificate”. 

20. Select the certificate exported from “Keychain Access” earlier in the tutorial.

21. In Profile Manager’s Web portal click “Security and Privacy” along the sidebar under macOS. 

22. Click “Configure” then “FileVault”.

23. Enable “Require FileVault”

You are presented with three options depending if you want the institution only to retain the recovery key, create a personal FileVault recovery key, or use an institutional recovery key and create a personal FileVault recovery key. I am selecting the third since that will allow my users to have the personal recovery key while my team will have access to it’s own unique recovery key.

24. Under “Certificate”, select the certificate we have been using.

25. Click “OK”.

26. Add the computers you have ready to include in this scope by clicking “Members” then “Add Devices” and/or “Add Device Groups”. If you are enrolled in Apple's "Device Enrollment Program" then you may have computers already listed versus adding them manually. If you haven't enrolled in DEP then do it. It makes adding computers to your device groups much simpler.

There are numerous variables that will depend on your environment. This article is a basic template.