Jamf Nation Community

tuinte · ‎02-20-2014

JAMFnation 4ever!

JSS 9.23. All users running 10.8.5.

Testing some scenarios out before implementing FileVault 2 on users' machines, I've noticed deleting an encrypted machine's record in the JSS and re-Reconing doesn't fill in the Recovery Key in the JSS. It recognizes the drive as encrypted in the Inventory tab, but lists Not Configured in the Management tab. Is there any way to repopulate that in this scenario short of decrypting and re-enabling encryption via the JSS?

Thanks for any and all help!

Michael

MikeF · ‎02-20-2014

i have not been able to find any way of doing this other than a decrypt/re encrypt. Apple seems to only let you get the key at that time. This has been a pain a we have to really be sure now when deleting a mac. That recovery key is gone.

View solution in original post

rtrouton · ‎02-20-2014

On 10.8.5, once the key's been removed from the JSS, you'll need to unencrypt / re-encrypt using a policy in order to re-upload that key.

10.9.x offers more options in this regard, as a changerecoverykey function is now included with fdesetup.

View solution in original post

MikeF · ‎02-20-2014

i have not been able to find any way of doing this other than a decrypt/re encrypt. Apple seems to only let you get the key at that time. This has been a pain a we have to really be sure now when deleting a mac. That recovery key is gone.

rtrouton · ‎02-20-2014

On 10.8.5, once the key's been removed from the JSS, you'll need to unencrypt / re-encrypt using a policy in order to re-upload that key.

10.9.x offers more options in this regard, as a changerecoverykey function is now included with fdesetup.

tuinte · ‎02-20-2014

Thanks to you both.

@rtroutron, are you the greatest resource on FileVault in the world?

rtrouton · ‎02-20-2014

@tuinte,

No, the people who wear that crown all work for Apple. I probably have the most documentation available to the public though.

alexjdale · ‎02-20-2014

So, it sounds like it would be a good idea to create a smart group for all systems where Casper is not able to validate the individual recovery key, then have a policy run the "fdesetup changerecovery -personal" command to generate a new key?

It sounds like this would resolve the issue for 10.9.x systems (with deleted or lost system records), assuming Casper is able to pick up that new key automatically. I'll have to test this out.

Edit: Not sure this will work since you need to enter a password or current recovery key for the volume. Also, Casper doesn't pick up the new key. Bummer.

mm2270 · ‎02-20-2014

If any of you feel that being able to export Recovery Keys out of Casper in a secure way to another format for safe keeping would be a good idea, please vote up my Feature Request here:
https://jamfnation.jamfsoftware.com/featureRequest.html?id=1861

Been trying to get more focus on this, because for us, its a problem that the JSS is the ONLY place those keys exist and we are not able to access or read the keys in any other way than via the web app GUI. I'd even settle for just a secure method of using the API to extract the keys so they can be pushed to another system. As it stands, if you delete the Mac record and something happens where you need the key to get into the Mac, if you didn't already have it set up to use an Institutional Recovery key as well. you will have no way to get back into the Mac other than a nuke and pave, losing all data. For us, we have it set to use Institutional + Individual, but we would still like a way to report on the keys or securely port them to another system.

tuinte · ‎02-24-2014

Thanks for the confirmation, all.

@mm2270: Upvoted.

lisacherie · ‎02-25-2014

In Casper 8.x you can recover the key from your backups, and re-enter manually, once the computer is re-enrolled. I wrote about this briefly last year. Haven't tried with Casper 9, hoping the same approach would work if you got stuck.

http://lisacherie.com/?p=65

Jamf Nation Community

FileVault - Reload Recovery Key into JSS if machine record is deleted from JSS?