Encrypting with FileVault 2
This payload allows you to enforce FileVault encryption on your Mac devices with one of three methods. Each has its own use case, option 3 is most recommended. Pushing the payload will enable FileVault the next time the device is rebooted and require local device administrative credentials to complete. See Apple's documentation here for more info.
The three recovery options are:
- Institutional Recovery Key
- Personal Recovery Key
- Institutional and Personal Recovery Key
Once a method of encryption is determined, add the FileVault 2 setting and select Enabled.
NOTE: Defer encryption until after reboot must be selected for it to install on a Mac device.
NOTE: macOS device(s) must have a Meraki Management enrollment profile to install this FileVault 2 profile configuration.
Institutional Recovery Key
Only a Dashboard Organization Administrator with Full permissions will be able to complete this step.
An Institutional Recovery Key (IRK) is a certificate that can be used to encrypt and decrypt a device. To download the IRK, create a password to protect it and hit the download button on the right. This password will only protect the key once, which means if the password is lost or forgotten the key will need to be re-downloaded and protected with another password.
Once they key has been downloaded (it is a .p12 file) safely store the key. However in the event the key is lost or corrupted, the benefit of using an IRK is that the key itself is stored in Dashboard and can be re-downloaded at any point.
Personal Recovery Key
A Personal Recovery Key (PRK) is a locally created key consisting of letters and numbers. If selected, a recovery key will be given to the user upon enabling FileVault 2. They key will be displayed on the device at the end of the FileVault 2 encryption process and is not customizable, nor will it be stored by Dashboard. The key will need to be recorded and saved by the user.
If only personal recovery keys are used and those keys are lost, the device can not be unencrypted. This will require a factory reset and wiping the device in order to use it again.
Institutional & Personal Recovery Key
This is the recommended FileVault 2 encryption method.
When using this scenario a Personal Recovery Key will be given to the user upon encryption and an Institutional Recovery Key will be generated as well. Both the Personal and Institutional Recovery Keys can be used to unlock an encrypted device with FileVault 2 enabled. This is the recommended model as it provides the user with the option to decrypt their device, but also has the fail-safe of the Institutional Recovery Key in the event that the Personal Key is lost.
Escrow Recovery Key
With macOS 10.13+ an optional public/private certificate key pair can be used to enable FileVault 2's escrow recovery key. The escrow recovery can be used as a last resort to unlock the encrypted disk if institutional recovery key has been set up and the end user of device has lost both their macOS login password and FileVault personal recovery key, which is only displayed once for end user upon initial FileVault encryption.
To enable escrow key recovery:
1. Set up a public/private certificate pair with your desired setup. In this example a public .crt certificate is used in conjunction with the private .pem certificate. If you are unsure how to set up a public/private certificate pair: follow this guide.
We recommend to use a .crt with a lifetime of 10 years to cover the lifetime of the device.
2. Install a profile on macOS device with two settings: FileVault Recovery Key Escrow + Credential certificate profile (public .crt certificate).
Now, on the macOS device in scope of this profile it will show the following in System Preferences > Profiles:
3. Now that the Recovery Key Escrow & certificate profile have been installed, the macOS device can have the main FileVault 2 profile installed. Setup a FileVault 2 profile encrypted with Institution & Personal Recovery Key. An example configuration is shown below and additional text details can be found in the "Institutional & Personal Recovery Key" steps above.
On the macOS device in scope of this profile, it will now show the following in System Preferences > Profiles:
Note: It is very important to install the Recovery Key Escrow & certificate profile (step 2) before the main FileVault 2 profile (step 3).
4. Now that the device has the Recovery Key Escrow, certificate, and main FileVault 2 profile, it is ready to begin encryption. Restart the macOS device and it will begin the FileVault encryption process. At this time, the personal recovery key is displayed to the end user -- this personal key can now be exposed in Dashboard at any time.
Exposing the Personal Recovery Key in Dashboard via Escrow Recovery Key
Once the Escrow Recovery Key has been setup on device, Meraki Systems Manager Dashboard can display the device's personal recovery key. This is especially useful to decrypt an encrypted disk if institutional recovery key has been set up and the end user of device has lost their macOS login password and FileVault personal recovery key (which is only displayed once for end user upon initial FileVault encryption).
To expose the personal recovery key, find the device in Systems Manager > Monitor > Clients. Click on the device and find the FileVault section within the Live Tools.
Press on "Access Key" and then upload the private key certificate (commonly a .pem file) used in the public/private key setup of the initial Escrow Recovery Key profile setup. The device's Personal Recovery Key is now displayed in Dashboard!
Note: If the dashboard throws error "private key file size is too large (maximum 2Kb)", relook at the Escrow key setup steps. Also, ensure that you are not using the institutional recovery key (IRK) as an Escrow access key.
Decrypting using FileVault 2
There are two methods to decrypting devices:
- Using a Personal Recovery Key
- Using the downloaded Institutional Recovery Key (recovery certificate)
Using a Personal Recovery Key
If a Personal Recovery Key (PRK) was used, the user MUST have made note of the key as Meraki cannot store a copy.
A PRK can not be downloaded or recovered. When decrypting the device, present the PRK when prompted and the device will be unencrypted.
If a PRK was misplaced, lost or forgotten and it was the only encryption method chosen there will be no way to decrypt the devices. Short of factory resetting and wiping the device, the computer will be unusable.
Using Dashboard to Unlock a User's Startup Disk
Aside from downloading the recovery certificate, Meraki also stores the Institutional Recovery Key on the Organization > MDM page of Dashboard. Again this key is used to unlock a device encrypted by Meraki via FileVault.
To decrypt a device:
- Find the IRK that was originally downloaded or download it from Dashboard. This file will be called FileVaultMaster.p12.
- Open up Keychain Access on an OS X machine (Applications > Utilities > Keychain Access).
- Create a new Keychain named FileVaultMaster (Keychain Access > File > New Keychain). Once a keychain is created, drag and drop the FileVaultMaster.p12 file into the keychain. Two "File Vault Recovery Key" items should appear, one that is a private key and another that is a certificate.
- Next make a copy of your FileVaultMaster.keychain file.
- On the client Mac, start up from macOS Recovery by holding Command-R during startup.
- If you don't know the name (such as Macintosh HD) and format of the startup disk, open Disk Utility from the macOS Utilities window, then check the information Disk Utility shows for that volume on the right. If you see ”CoreStorage Logical Volume Group” instead of ”APFS Volume” or ”Mac OS Extended,” the format is Mac OS Extended. You will need this information in a later step. Quit Disk Utility when done.
- Connect the external drive that contains the private recovery key.
- From the menu bar in macOS Recovery, choose Utilities > Terminal.
- If you stored the private recovery key in an encrypted disk image, use the following command in Terminal to mount that image. Replace /path with the path to the disk image, including the .dmg filename extension:
hdiutil attach /pathExample for a disk image named PrivateKey.dmg on a volume named ThumbDrive:
hdiutil attach /Volumes/ThumbDrive/PrivateKey.dmg
- Use the following command to unlock the FileVault master keychain. Replace /path with the path to FileVaultMaster.keychain on the external drive. In this step and all remaining steps, if the keychain is stored in an encrypted disk image, remember to include the name of that image in the path.
security unlock-keychain /pathExample for a volume named ThumbDrive:
security unlock-keychain /Volumes/ThumbDrive/FileVaultMaster.keychain
- Enter the master password to unlock the startup disk. If the password is accepted, the command prompt returns.
Continue as described below, based on how the user's startup disk is formatted.
Feel free to reference these instructions from Apple as well.
APFS Formatted Device
If the startup disk is formatted for APFS, complete these additional steps:
- Enter the following command to unlock the encrypted startup disk. Replace "name" with the name of the startup volume, and replace /path with the path to FileVaultMaster.keychain on the external drive or disk image:
diskutil ap unlockVolume "name" -recoveryKeychain /pathExample for a startup volume named Macintosh HD and a recovery-key volume named ThumbDrive:
diskutil ap unlockVolume "Macintosh HD" -recoveryKeychain /Volumes/ThumbDrive/FileVaultMaster.keychain
- Enter the master password to unlock the keychain and mount the startup disk.
- Use command-line tools such as
dittoto back up the data on the disk, or quit Terminal and use Disk Utility.
Mac OS Extended (HFS Plus)
If the startup disk is formatted for Mac OS Extended, complete these additional steps:
- Enter this command to get a list of drives and CoreStorage volumes:
diskutil cs list
- Select the UUID that appears after “Logical Volume,” then copy it for use in a later step.
Example: +-> Logical Volume 2F227AED-1398-42F8-804D-882199ABA66B
- Use the following command to unlock the encrypted startup disk. Replace UUID with the UUID you copied in the previous step, and replace /path with the path to FileVaultMaster.keychain on the external drive or disk image:
diskutil cs unlockVolume UUID -recoveryKeychain /pathExample for a recovery-key volume named ThumbDrive:
diskutil cs unlockVolume 2F227AED-1398-42F8-804D-882199ABA66B -recoveryKeychain /Volumes/ThumbDrive/FileVaultMaster.keychain
- Enter the master password to unlock the keychain and mount the startup disk.
- Use command-line tools such as
dittoto back up the data on the disk. Or quit Terminal and use Disk Utility. Or use the following command to decrypt the unlocked disk and start up from it.
diskutil cs decryptVolume UUID -recoveryKeychain /pathExample for a recovery-key volume named ThumbDrive:
diskutil cs decryptVolume 2F227AED-1398-42F8-804D-882199ABA66B -recoveryKeychain /Volumes/ThumbDrive/FileVaultMaster.keychain
Please reference the Apple support document Set a FileVault recovery key for computers in your organization.