When using a personal recovery key with FileVault 2, the key is only displayed once to the user, at the moment FileVault is enabled. Previously, when the user couldn’t remember or didn’t store their recovery key, there was no way to retrieve it. Starting with macOS 10.13, it is now possible to put your key into escrow with Xinca. When FileVault is enabled on a device, and no institutional recovery key has been set up and its device owner has lost both their account password and personal recovery key, the recovery key escrow can be used as a last resort to unlock the encrypted disk.
- macOS 10.13 or higher
How to enable personal recovery key escrow in ZMS
When enabling FileVault in your macOS profile, select the ‘Enable Personal Recovery Key Escrow’ checkbox. In the textarea, you can enter a short description of the location where the recovery key will be kept. This text can be seen when viewing the details of the Configuration Profile, in Apple menu -> System Preferences -> Profiles. Recovery key escrow will be enabled after the profile is pushed to associated devices.
Please take the following into account:
- FileVault should be enabled at the same time or after enabling recovery key escrow! Otherwise, when a personal recovery key has already been generated on a device, enabling recovery key escrow will have no effect.
- A device should only have one profile with recovery key escrow associated with it. Otherwise, the installation of the second profile will fail.
- When the personal recovery key is changed on a device, while the recovery key escrow profile isn’t associated with it, the key will not be returned back to us.
When recovery key escrow is on, Xinca will generate a certificate with which the recovery key is encrypted. A unique certificate will be created for every associated device, so that the recovery key is sent back to us as securely as possible.
When FileVault is enabled on a device, it is possible to change the personal recovery key from the Terminal, using the command fdesetup changerecovery -personal . If escrow has been enabled on the device before changing the recovery key, the new key will be returned to Xinca as well.
Retrieving the personal recovery key in ZMS
The escrowed recovery key can be retrieved on the device details page. When Recovery Key Escrow is enabled, a button ‘Retrieve personal key’ appears under the heading ‘FileVault’. Pressing this will decrypt the personal recovery key and display it.
The recovery key is returned to Xinca as part of the security information of a device. You may need to refresh device details before retrieving the personal recovery key. If you haven’t refreshed the security info before retrieving the personal key, it is possible that the retrieve button doesn’t show up or that an old personal key is shown. Please check the Activity Log to see if the security information of the device is up to date (look for the action ‘Refresh security info’).
Please note that recovery key escrow should be used as a last resort. We strongly recommend you always set an institutional recovery key together with enabling the personal recovery key option, to minimise the chance that all recovery keys are lost. In rare cases, it is possible we do not have an up to date personal recovery key in escrow. We do not accept liability for cases where the user cannot unlock their encrypted drive because the personal recovery in escrow turns out to be out of date.