Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4197: How to configure a File Vault 2 institutional recovery key if a personal recovery key already exists on Mac OS 10.9

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:18 AM

Applies to: Centrify DirectControl on Mac OS X 10.9 and higher

Question:

Does a Max OS X computer that already has FileVault 2 enabled through the Security & Privacy System Preferences need to be decrypted/disabled in order to use an institutional recovery key? 


Answer:

For Mac systems on OS X 10.8 and below, yes. Please see the following KB for further detail:


Mac systems on OS X 10.9 and higher, an additional verb, changerecovery, was added to the fdesetup command that allows an institutional recovery key to be added to the existing personal recovery key.

Note: Only one recovery key of each type is allowed.

In order to do this, you will need the username of the account that set up the existing personal recovery key and the corresponding recovery key, or password.

To check if there is a personal recovery key already enter the following command in Terminal:

 
fdesetup haspersonalrecoverykey

If this command returns false, then it means that there is no personal recovery key present.
The command to change the institutional recovery key will not have an effect on the Mac, unless there is an institutional recovery key present. 

To check if there is an institutional recovery key already enter the following command in Terminal:
 
fdesetup hasinstitutionalrecoverykey

If this command returns true, then it means that there is already an institutional recovery key.
The command to change the institutional recovery key will remove the existing institutional recovery key and replace it with the new one. 
 
  • First, the FileVault master keychain must be created and the public key needs to be exported from it in certificate (.cer) file format. Instructions on how to do this is described in the Centrify Admin Guide for Mac, starting from page 67.
     
  • Second, the certificate information must be exported in order to create an input property list (.plist). This can be done by using an GUI application or the command line.

1. Install the iPhone Configuration Utility for Mac or Windows:
2. Open the iPhone Configuration Utility.

3. Select Configuration Profiles from the sidebar and then click the New button in the toolbar on top.

 
 
         User-added image
 
4. Select Credentials in the new configuration profile and then click the Configure button.
User-added image
5. Select your FileVault 2 public key file that was exported in .cer format.
User-added image
6. The FileVault 2 public key should show up as a credential.
User-added image
7. Click the Export button to save the configuration profile with Security set to None.
User-added image
8. Save/Export the filename.mobileconfig file.

Note: Alternatively, the Terminal application can be used to run the following command and export the certificate data to a text file:

 
base64 /path/to/certificate.cer > filename.txt

9. Open the .mobileconfig (or .txt) file using a Text Editor (TextMate, TextWrangler, Notepadd ++, etc...) and copy the certificate data.
User-added image

10. Use the Text Editor to create a new input .plist with the following keys:
 
<key>Username</key>
<string>EnterEnabledFileVaultUsernameHere</string>
<key>Password</key>
<string>EnterPasswordorRecoveryKeyHere</string>
<key>Certificate</key>
<data>
EnterCertificateDataHere
</data>

Example:
User-added image

Note:
  • The username and password here are from an account that is enabled to use the existing personal recovery key. We recommend adding and enabling a temporary local admin account to the existing personal recovery key, especially if a password is being entered in plain text. This way the account can be removed after the institutional key is added.
     
  • This can be done by going into Security & Privacy System Preferences > FileVault > Enable Users and enabling the additional account, or by using the fdesetup add -usertoadd username command. The username of the account that set up the existing personal recovery key and the corresponding recovery key, or password, will be needed.


Now that you have an input .plist and an .cer file, the copy files GP can be used to push the files to the machines.

On the Windows side:

1. Copy the input .plist and .cer file to the SYSVOL location on the domain controller.
 
User-added image

2. Open the Group Policy Management Editor and Enable the Copy Files policy in Computer Configuration > Centrify Settings > Common UNIX Settings.

3. Add both files with the Destination set to /tmp. Choose the option to "Use destination file ownership and permissions".

        User-added image

See page 112 on the Centrify Group Policy Guide for information on how to use the Copy Files group policy.

Finally, the Specify Command To Run GP can be used to add the institutional recovery key.

1. Open the Group Policy Management Editor and Enable the Specify Commands To Run policy in Computer Configuration > Centrify Settings > Common UNIX Settings.

2. Add the following Run Command with your .cer and .plist files passed as options:
 
sudo fdesetup changerecovery -institutional -keychain -certificate /tmp/FileVaultKey.cer -inputplist < /tmp/MasterFV.plist

      User-added image

Once the group policies are pushed to the Macs, you should be able to see if the institutional key has been added by running the fdesetup hasinstitutionalrecoverykey command.


For information about how to use the recovery key, the please go to the Apple Support KB at:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.