Using a FileVault institutional recovery key to unlock an encrypted disk

You may have set up FileVault encryption using an institutional recovery key (more details in Enabling FileVault Encryption for Client Macs).

It’s possible you have a local admin account on the FileVault-enabled machine, so if a user says “Oh, no! I forgot my password,” you can reset the password. But what if your user also has admin privileges and deletes your local admin account, so there is no user account (with a known password) that can unlock the encrypted volume?

Well, that’s where your institutional recovery key comes in handy.

  • Put your original FileVaultMaster.keychain (the one without the private key deleted) on an external drive or thumb drive
  • Boot the client machine into recovery mode (Cmd-R at bootup).
  • Plug in the drive with the FileVaultMaster.keychain file on it. It should automount in recovery mode, but you can also mount it using Disk Utility.
  • Go to Utilities and select Terminal.
  • Unlock the keychain:
    security unlock-keychain /Volumes/NAMEOFDRIVE/FileVaultMaster.keychain
    This will prompt you for a password you set when you originally created the institutional recovery key.
  • Then, run
    diskutil cs list
    which will list out the CoreStorage logical volume groups. Find the UUID of the Logical Volume (most likely the LV Name will be Macintosh HD if you went with defaults, and the Content Hint will be Apple_HFS). As the UUID will likely be at least 32 characters long, you probably want to highlight and copy it (to paste later).
  • To unlock the volume (to get at the files), run this command
    diskutil cs unlockVolume YOUR-LONG-UUID-COPIED-FROM-EARLIER -recoveryKeychain /Volumes/NAMEOFDRIVE/FileVaultMaster.keychain
    You should then see output like this
    Started CoreStorage operation
    Logical Volume successfully unlocked
    Logical Volume successfully attached as disk18 Logical Volume successfully mounted as /Volumes/Macintosh HD
    Core Storage disk: disk18
    Finished CoreStorage opeartion
  • You can then fetch anything you won’t from the unlocked and mounted disk.

Acknowledgements: I created this tutorial with the help of Apple’s official documentation on it and Rich Trouton’s Unlock or decrypt your FileVault 2-encrypted boot drive from the command line.

2 responses to “Using a FileVault institutional recovery key to unlock an encrypted disk”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.