There are three different way to encrypt your OS X device. Each of them have their own use cases but the recommended approach is option 3.
Once a method of encryption is determined, add the FileVault 2 setting and select Enabled.
An Institutional Recovery Key (IRK) is a certificate that can be used to encrypt and decrypt a device. To download the IRK, create a password to protect it and hit the download button on the right. This password will only protect the key once, which means if the password is lost or forgotten the key will need to be re-downloaded and protected with another password.
Once they key has been downloaded (it is a .p12 file) safely store the key. However in the event the key is lost or corrupted, the benefit of using an IRK is that the key itself is stored in Dashboard and can be re-downloaded at any point.
A Personal Recovery Key (PRK) is a locally created key consisting of letters and numbers. If selected, a recovery key will be given to the user upon enabling FileVault 2. They key will be displayed on the device at the end of the FileVault 2 encryption process and is not customizable, nor will it be stored by Dashboard. The key will need to be recorded and saved by the user.
If only personal recovery keys are used and those keys are lost, the device can not be unencrypted. This will require a factory reset and wiping the device in order to use it again.
This is the recommended FileVault 2 encryption method.
When using this scenario a Personal Recovery Key will be given to the user upon encryption and an Institutional Recovery Key will be generated as well. Both the Personal and Institutional Recovery Keys can be used to unlock an encrypted device with FileVault 2 enabled. This is the recommended model as it provides the user with the option to unencrypt their device, but also has the fail-safe of the Institutional Recovery Key in the event that the Personal Key is lost.
There are two methods to decrypting devices:
If a Personal Recovery Key (PRK) was used, the user MUST have made note of the key as Meraki cannot store a copy.
A PRK can not be downloaded or recovered. When decrypting the device, present the PRK when prompted and the device will be unencrypted.
If a PRK was misplaced, lost or forgotten and it was the only encryption method chosen there will be no way to decrypt the devices. Short of factory reseting and wiping the device, the computer will be unusable.
Aside from downloading the recovery certificate, Meraki also stores the Institutional Recovery Key on the Organization > MDM page of Dashboard. Again this key is used to unlock a device encrypted by Meraki via FileVault.
To decrypt a device:
hdiutil attach /path/to/diskImage
For example, on a volume named ThumbDrive:
security unlock-keychain <path to Keychain File>
security unlock-keychain /Volumes/ThumbDrive/FileVaultMaster.keychain
diskutil cs list
diskutil cs unlockVolume <UUID> -recoveryKeychain <path to Keychain File>For example, you'd use this command if there was a UUID of 2F227AED-1398-42F8-804D-882199ABA66B on a volume named ThumbDrive:
diskutil cs unlockVolume 2F227AED-1398-42F8-804D-882199ABA66B -recoveryKeychain /Volumes/ThumbDrive/FileVaultMaster.keychain
Feel free to reference these instructions from Apple as well.