Home > Endpoint Management > Profiles and Settings > Using FileVault 2

Using FileVault 2

Encrypting with FileVault 2

This payload allows you to enforce FileVault encryption on your Mac devices with one of three methods. Each has its own use case, option 3 is most recommended. Pushing the payload will enable FileVault the next time the device is rebooted during user sign-in. See Apple's documentation here for more info.

The three recovery options are:

  1. Institutional Recovery Key
  2. Personal Recovery Key
  3. Institutional and Personal Recovery Key

Once a method of encryption is determined, add the FileVault 2 setting and select Enabled.

macOS device(s) must have a Meraki Management enrollment profile to install this FileVault 2 profile configuration. 

Institutional Recovery Key

Only a Dashboard Organization Administrator with Full permissions will be able to complete this step

An Institutional Recovery Key (IRK) is a certificate that can be used to encrypt and decrypt a device. To download the IRK, create a password to protect it and hit the download button on the right. This password will only protect the key once, which means if the password is lost or forgotten the key will need to be re-downloaded and protected with another password.

Once they key has been downloaded (it is a .p12 file) safely store the key. However in the event the key is lost or corrupted, the benefit of using an IRK is that the key itself is stored in Dashboard and can be re-downloaded at any point.

Personal Recovery Key

A Personal Recovery Key (PRK) is a locally created key consisting of letters and numbers. If selected, a recovery key will be given to the user upon enabling FileVault 2. They key will be displayed on the device at the end of the FileVault 2 encryption process and is not customizable, nor will it be stored by Dashboard. The key will need to be recorded and saved by the user.

If only personal recovery keys are used and those keys are lost, the device can not be unencrypted. This will require a factory reset and wiping the device in order to use it again.

Institutional & Personal Recovery Key

This is the recommended FileVault 2 encryption method.

 

When using this scenario a Personal Recovery Key will be given to the user upon encryption and an Institutional Recovery Key will be generated as well. Both the Personal and Institutional Recovery Keys can be used to unlock an encrypted device with FileVault 2 enabled. This is the recommended model as it provides the user with the option to decrypt their device, but also has the fail-safe of the Institutional Recovery Key in the event that the Personal Key is lost.

Escrow Recovery Key

With macOS 10.13+ an optional public/private certificate key pair can be used to enable FileVault 2's escrow recovery key. The escrow recovery can be used as a last resort to unlock the encrypted disk if institutional recovery key has been set up and the end user of device has lost both their macOS login password and FileVault personal recovery key, which is only displayed once for end user upon initial FileVault encryption.

 

To enable escrow key recovery: 

1. Set up a public/private certificate pair with your desired setup. In this example a public .crt certificate is used in conjunction with the private .pem certificate. If you are unsure how to set up a public/private certificate pair: follow this guide

2. Install a profile on macOS device with two settings: FileVault Recovery Key Escrow + Credential certificate profile (public .crt certificate). 

Screen Shot 2018-05-01 at 2.04.07 PM.png

Screen Shot 2018-05-01 at 2.04.17 PM.png

 

Now, on the macOS device in scope of this profile it will show the following in System Preferences > Profiles:

Screen Shot 2018-05-01 at 2.05.50 PM.png

 

3. Now that the Recovery Key Escrow & certificate profile have been installed, the macOS device can have the main FileVault 2 profile installed. Setup a FileVault 2 profile encrypted with Institution & Personal Recovery Key. An example configuration is shown below and additional text details can be found in the "Institutional & Personal Recovery Key" steps above. 

Screen Shot 2018-05-01 at 2.04.41 PM.png

 

On the macOS device in scope of this profile, it will now show the following in System Preferences > Profiles:

Screen Shot 2018-05-01 at 2.07.15 PM.png

Note: It is very important to install the Recovery Key Escrow & certificate profile (step 2) before the main FileVault 2 profile (step 3). 

4. Now that the device has the Recovery Key Escrow, certificate, and main FileVault 2 profile, it is ready to begin encryption. Restart the macOS device and it will begin the FileVault encryption process. At this time, the personal recovery key is displayed to the end user -- this personal key can now be exposed in Dashboard at any time. 

Exposing the Personal Recovery Key in Dashboard via Escrow Recovery Key

Once the Escrow Recovery Key has been setup on device, Meraki Systems Manager Dashboard can display the device's personal recovery key. This is especially useful to decrypt an encrypted disk if institutional recovery key has been set up and the end user of device has lost their macOS login password and FileVault personal recovery key (which is only displayed once for end user upon initial FileVault encryption). 

 

To expose the personal recovery key, find the device in Systems Manager > Monitor > Clients. Click on the device and find the FileVault section within the Live Tools. 


Screen Shot 2018-05-04 at 1.58.53 PM.png

Press on "Access Key" and then upload the private key certificate (commonly a .pem file) used in the public/private key setup of the initial Escrow Recovery Key profile setup. The device's Personal Recovery Key is now displayed in Dashboard! 


Screen Shot 2018-05-04 at 1.59.27 PM.png

Decrypting using FileVault 2

There are two methods to decrypting devices:

  1. Using a Personal Recovery Key
  2. Using the downloaded Institutional Recovery Key (recovery certificate)

Using a Personal Recovery Key

If a Personal Recovery Key (PRK) was used, the  user MUST have made note of the key as Meraki cannot store a copy. 

A PRK can not be downloaded or recovered. When decrypting the device, present the PRK when prompted and the device will be unencrypted.

If a PRK was misplaced, lost or forgotten and it was the only encryption method chosen there will be no way to decrypt the devices. Short of factory reseting and wiping the device, the computer will be unusable.

Using Dashboard to Decrypt a Device

Aside from downloading the recovery certificate, Meraki also stores the Institutional Recovery Key on the Organization > MDM page of Dashboard. Again this key is used to unlock a device encrypted by Meraki via FileVault. 

To decrypt a device:

  1. Find the IRK that was originally downloaded or download it from Dashboard. This file will be called FileVaultMaster.p12.
  2. Open up Keychain Access on an OS X machine (Applications > Utilities > Keychain Access).
  3. Create a new Keychain named FileVaultMaster (Keychain Access > File > New Keychain). Once a keychain is created, drag and drop the FileVaultMaster.p12 file into the keychain. Two "File Vault Recovery Key" items should appear, one that is a private key and another that is a certificate.
  4. Next make a copy of your FileVaultMaster.keychain file. This file is normally located in:
    Users\User\Library\Keychains
  5. Restart the client while holding the Command and R keys.
  6. Connect an external drive containing the FileVaultMaster.keychain file with the private key.
  7. From the Utilities menu, select Terminal.
  8. If the keychain containing the private key is stored in an encrypted disk image, use the following command to mount it:

    hdiutil attach /path/to/diskImage

  9. Use the following command to unlock the FileVaultMaster.keychain file; be sure to insert the correct path to your keychain file:

    security unlock-keychain <path to Keychain File>

    For example, on a volume named ThumbDrive:

    security unlock-keychain /Volumes/ThumbDrive/FileVaultMaster.keychain

  10. Enter the master password to unlock the keychain. If the password is accepted the command prompt will return.
  11. Use the following command to list the drives and corestorage volumes:

    diskutil cs list

  12. Look for the UUID of Logical Volume, usually the last in the list. Select and copy the UUID for the next command step.
  13. Use the following command to unlock the encrypted disk. Be sure to insert the UUID from the previous step, and the correct path to the keychain file:
    diskutil cs unlockVolume <UUID> -recoveryKeychain <path to Keychain File>
    
    For example, you'd use this command if there was a UUID of 2F227AED-1398-42F8-804D-882199ABA66B on a volume named ThumbDrive:
    diskutil cs unlockVolume 2F227AED-1398-42F8-804D-882199ABA66B -recoveryKeychain /Volumes/ThumbDrive/FileVaultMaster.keychain
    
  14. Enter the master password to unlock the keychain. The volume will be mounted. You can now back up data using Disk Utility, or by using command line tools such as ditto.

 

Feel free to reference these instructions from Apple as well.

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 4373

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community