Help

Fixing FileVault Keys on High Sierra

bmarks
Contributor II

Posted on ‎01-30-2018 03:24 PM

What are people using on High Sierra to repair invalid or unknown individual FileVault keys? We were using the fde-rekey package (https://github.com/square/fde-rekey) but the developer has no plans to support APFS. We used fde-rekey because we didn't want to prompt our users with a password popup using the jss-filevault-reissue script (https://github.com/homebysix/jss-filevault-reissue) but if that is the only option on High Sierra, we may have no choice. I haven't discovered any other options.

0 Kudos
3 REPLIES 3

bmarks
Contributor II

Posted on ‎02-01-2018 11:40 AM

I should add the Jamf script as an option that works too: https://github.com/JAMFSupport/FileVault2_Scripts/blob/master/reissueKey.sh

The Jamf one seems to be the only one that isn't broken by or displays a warning about High Sierra.

After some additional research, it looks like a silent solution like fde-rekey may never be an option again on High Sierra. The Jamf script, for example, had to make a specific change to accommodate for some Apple changes as is mentioned in the history notes of the script.

0 Kudos

gachowski
Valued Contributor II

Posted on ‎02-01-2018 12:37 PM

@bmarks

Thanks for finding that!!

C

0 Kudos

elliotjordan
Contributor III

Posted on ‎06-16-2023 03:48 PM

Hi all! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that might be of interest to you.

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.

Thanks!

0 Kudos