Skip to main content
Jamf Nation, hosted by Jamf, is a dynamic and knowledgeable community of Apple-focused IT admins and Jamf Pro users. Join us in person, in October, for the annual Jamf Nation User Conference (JNUC) to discover new and better ways to manage Apple devices.

Creating and Exporting an Institutional Recovery Key

Overview

To use an institutional recovery key in a disk encryption configuration, you must first create and export a recovery key using Keychain Access.

You can export the recovery key with or without the private key. Exporting with the private key allows you to store it in the JSS. If you export without the private key, you must store it in a secure location so you can access it when needed.

Requirements

To create and export an institutional recovery key, you need a computer running macOS 10.8 or later.

Creating and Exporting an Institutional Recovery Key with the Private Key

  1. On an administrator computer, open Terminal and execute the following command:
    sudo security create-filevaultmaster-keychain /Library/Keychains/FileVaultMaster.keychain
  2. Enter a password for the new keychain when prompted. A keychain (FileVaultMaster.keychain) is created in the following location /Library/Keychains/
  3. Unlock the keychain by opening Terminal and executing:
    security unlock-keychain /Library/Keychains/FileVaultMaster.keychain
  4. Make a backup of the keychain and save it in a secure location.
  5. Open Keychain Access.
  6. From the menu bar, choose File > Add Keychain and add the FileVaultMaster.keychain file located in /Library/Keychains/.
  7. Select FileVaultMaster under the Keychains heading in the sidebar, and then select All Items under the Category heading in the sidebar.
  8. Verify that a private key is associated with the certificate.
  9. Select the certificate and the private key.
  10. From the menu bar, choose File > Export Items and save the items as a .p12 file. The .p12 file is a bundle that contains both the FileVault Recovery Key and the private key.
  11. Create and verify a password to secure the file, and then click OK. You will be prompted to enter this password when uploading the recovery key to the JSS.
  12. Quit Keychain Access.

The FileVault Recovery Key and the private key are saved as a .p12 file in the location you specified.

Creating and Exporting an Institutional Recovery Key without the Private Key

  1. On an administrator computer, open Terminal and execute the following command:
    sudo security create-filevaultmaster-keychain /Library/Keychains/FileVaultMaster.keychain
  2. Enter a password for the new keychain when prompted. A keychain (FileVaultMaster.keychain) is created in the following location: /Library/Keychains/
  3. Unlock the keychain by opening Terminal and executing:
    security unlock-keychain /Library/Keychains/FileVaultMaster.keychain
  4. Open Keychain Access.
  5. From the menu bar, choose File > Add Keychain and add the FileVaultMaster.keychain file located in /Library/Keychains/.
  6. Select FileVaultMaster under the Keychains heading in the sidebar, and then select All Items under the Category heading in the sidebar.
  7. Select the certificate. Do not select the private key associated with the certificate.
  8. From the menu bar, choose File > Export Items and save the recovery key as a .pem file or .cer file. You will need to upload this file to the JSS when creating the disk encryption configuration.
  9. Quit Keychain Access.
  10. Store the keychain (FileVaultMaster.keychain) in a secure location so you can use it to access encrypted data at a later time.

The FileVault Recovery Key is saved as a .cer file or a .pem file in the location you specified.

Additional Information

For more information on managing disk encryption configurations with the Casper Suite, see the Casper Suite Administrator's Guide.

Like Comment
CCA Badge CMA Badge
SOLVED Posted: 12/14/13 at 12:06 PM by shaidar

Those instructions don't appear to work for 10.9. I created the FileVaultMaster keychain, but when I go to KeyChain Access, I don't seem to be able to see it in there. Tried the same thing under 10.8.5 and that works just fine.

Like
CCA Badge
SOLVED Posted: 1/23/14 at 9:06 PM by thanzig

This happened to me today, the FileVaultMaster did not appear in KeyChain Access. I navigated to /Library/Keychains/FileVaultMaster.keychain and double clicked it and it launched KeyChain Access and showed up.

Like
SOLVED Posted: 3/5/14 at 12:06 AM by arlomiller

another way to do it seems to be to just set a master password on your computer. this created the keychain, which you can then view in keychain access by double clicking it.

I then deployed the FileVault Recovery Key.cer with PM as an institutional recovery key for filevault.

the computers are still asking for each user to enter their password to be enabled for filevault. annoying. next step is to figure out how to make it so that all users are enabled for filevault w/o this step

Like
SOLVED Posted: 12/8/16 at 2:10 PM by jrippy

@PCalomeni I know this is an older KB, but I am just trying this out and it was just updated a few days ago.
I cannot get .p12 to export with the private key on 10.11.6 from either the gui or Keychain Access.
After trying that for a while, I decided to try on 10.12. There, the security command doesn't even have "create-filevaultmaster-keychain" as an option/argument.
Any workarounds for newer OSes?

Like
CCA Badge CCE Badge CUG Badge Integrator Badge
SOLVED Posted: 12/10/16 at 3:31 AM by bentoms

@jrippy I'd advise against institutional keys... if someone gets it then they have the ability to login to FileVault on all your Macs.

Instead we deploy one profile for FileVault Key Redirection, this escrows the recovery key into the JSS.

Then a second profile to enable FileVault with a personal recovery key.

No scripting needed.

Like