Home > Enterprise Mobility Management > Profiles and Settings > Using FileVault 2

Using FileVault 2

Encrypting with FileVault 2

There are three different way to encrypt your macOS device. Each of them have their own use cases but the recommended approach is option 3.

  1. Institutional Recovery Key
  2. Personal Recovery Key
  3. Institutional and Personal Recovery Key

Once a method of encryption is determined, add the FileVault 2 setting and select Enabled.

Institutional Recovery Key

An Institutional Recovery Key (IRK) is a certificate that can be used to encrypt and decrypt a device. To download the IRK, create a password to protect it and hit the download button on the right. This password will only protect the key once, which means if the password is lost or forgotten the key will need to be re-downloaded and protected with another password.

Once they key has been downloaded (it is a .p12 file) safely store the key. However in the event the key is lost or corrupted, the benefit of using an IRK is that the key itself is stored in Dashboard and can be re-downloaded at any point.

Personal Recovery Key

A Personal Recovery Key (PRK) is a locally created key consisting of letters and numbers. If selected, a recovery key will be given to the user upon enabling FileVault 2. They key will be displayed on the device at the end of the FileVault 2 encryption process and is not customizable, nor will it be stored by Dashboard. The key will need to be recorded and saved by the user.

If only personal recovery keys are used and those keys are lost, the device can not be unencrypted. This will require a factory reset and wiping the device in order to use it again.

Institutional & Personal Recovery Key

This is the recommended FileVault 2 encryption method.

 

When using this scenario a Personal Recovery Key will be given to the user upon encryption and an Institutional Recovery Key will be generated as well. Both the Personal and Institutional Recovery Keys can be used to unlock an encrypted device with FileVault 2 enabled. This is the recommended model as it provides the user with the option to unencrypt their device, but also has the fail-safe of the Institutional Recovery Key in the event that the Personal Key is lost.

Decrypting using FileVault 2

There are two methods to decrypting devices:

  1. Using a Personal Recovery Key
  2. Using the downloaded Institutional Recovery Key (recovery certificate)

Using a Personal Recovery Key

If a Personal Recovery Key (PRK) was used, the  user MUST have made note of the key as Meraki cannot store a copy. 

A PRK can not be downloaded or recovered. When decrypting the device, present the PRK when prompted and the device will be unencrypted.

If a PRK was misplaced, lost or forgotten and it was the only encryption method chosen there will be no way to decrypt the devices. Short of factory reseting and wiping the device, the computer will be unusable.

Using Dashboard to Decrypt a Device

Aside from downloading the recovery certificate, Meraki also stores the Institutional Recovery Key on the Organization > MDM page of Dashboard. Again this key is used to unlock a device encrypted by Meraki via FileVault. 

To decrypt a device:

  1. Find the IRK that was originally downloaded or download it from Dashboard. This file will be called FileVaultMaster.p12.
  2. Open up Keychain Access on an OS X machine (Applications > Utilities > Keychain Access).
  3. Create a new Keychain named FileVaultMaster (Keychain Access > File > New Keychain). Once a keychain is created, drag and drop the FileVaultMaster.p12 file into the keychain. Two "File Vault Recovery Key" items should appear, one that is a private key and another that is a certificate.
  4. Next make a copy of your FileVaultMaster.keychain file. This file is normally located in:
    Users\User\Library\Keychains
  5. Restart the client while holding the Command and R keys.
  6. Connect an external drive containing the FileVaultMaster.keychain file with the private key.
  7. From the Utilities menu, select Terminal.
  8. If the keychain containing the private key is stored in an encrypted disk image, use the following command to mount it:

    hdiutil attach /path/to/diskImage

  9. Use the following command to unlock the FileVaultMaster.keychain file; be sure to insert the correct path to your keychain file:

    security unlock-keychain <path to Keychain File>

    For example, on a volume named ThumbDrive:

    security unlock-keychain /Volumes/ThumbDrive/FileVaultMaster.keychain

  10. Enter the master password to unlock the keychain. If the password is accepted the command prompt will return.
  11. Use the following command to list the drives and corestorage volumes:

    diskutil cs list

  12. Look for the UUID of Logical Volume, usually the last in the list. Select and copy the UUID for the next command step.
  13. Use the following command to unlock the encrypted disk. Be sure to insert the UUID from the previous step, and the correct path to the keychain file:
    diskutil cs unlockVolume <UUID> -recoveryKeychain <path to Keychain File>
    
    For example, you'd use this command if there was a UUID of 2F227AED-1398-42F8-804D-882199ABA66B on a volume named ThumbDrive:
    diskutil cs unlockVolume 2F227AED-1398-42F8-804D-882199ABA66B -recoveryKeychain /Volumes/ThumbDrive/FileVaultMaster.keychain
    
  14. Enter the master password to unlock the keychain. The volume will be mounted. You can now back up data using Disk Utility, or by using command line tools such as ditto.

 

Feel free to reference these instructions from Apple as well.

You must to post a comment.
Last modified
07:28, 24 Jul 2017

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 4373

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case