Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-4182: Why do existing FileVaults need to be completely decrypted first when switching to institutional keys?

Mac & PC Management Service ,  

12 April,16 at 11:18 AM

Applies to: Centrify DirectControl for Mac on OS X 10.7 and higher


On pg68 of the Centrify Admin Guide for Mac; the one of the requirements for enabling FileVault via Centrify is that FileVault is not already enabled on the system:
FileVault 2 must not be enabled on the Mac OS X computer (through the Security & Privacy System Preference). If it is already configured, configuring FileVault 2 through Centrify User Suite will have no effect.

If FileVault is currently already enabled, then it needs to be completely disabled first before the institutional key can be used instead. This means that the disk needs to be decrypted first.

Can the keys be swapped over without having to fully decrypt and re-encrypt FileVault?



For OS X versions 10.8 and below, the information below still applies.
The reason why the FileVault needs to be completely disabled and re-enabled when switching keys is because the encryption process is directly tied into the key itself. 
FileVault should not be thought of like a literal vault of data with a padlock (the encryption "key") on the door - this would imply that the padlock can be simply swapped for another one without touching the data itself.

Since Apple FileVault is a full-disk encryption solution - during that initial encryption process - the key is "mixed in" with the data specifically to prevent it from being so easily extracted - for maximum security. 
This is why if FileVault is already in use and it is needed to switch to a centrally-managed environment - it needs to fully decrypt and then re-encrypt the data with the new key. 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.