Trigger a new macOS FileVault Recovery Key for Escrow

Starting with macOS 10.13 you can now escrow the FileVault recovery key with an MDM. This is useful if you are running a fleet of macOS devices and want to automatically store the recovery key. The problem is that once the key is generated, it is lost forever if you don't store it somehow. It also means that if you implement an escrow policy on a machine with FileVault already enabled, you cannot escrow the key. The trick is to re-generate a key which will allow it to be escrowed. The command is:

sudo fdesetup changerecovery -personal

After entering the command you will be asked for the password for the logged in user (you won't see the password as you type it) then hit return.

Then it will ask for a user that has access to the FileVault key - which is typically the same user and then again enter the password. The interaction looks something like this:


Test-MacBook-Pro:~ testadmin$ sudo fdesetup changerecovery -personal
Password: [enter the password]
Enter the user name: testadmin
Enter the password for user 'testadmin':
[enter the password]
New personal recover key = '32BT-LEXH-59KL-VUVV-73HU-V92Q'
Test-MacBook-Pro:~ testadmin$

No comments:

Post a comment