You may have set up FileVault encryption using an institutional recovery key (more details in Enabling FileVault Encryption for Client Macs).
It’s possible you have a local admin account on the FileVault-enabled machine, so if a user says “Oh, no! I forgot my password,” you can reset the password. But what if your user also has admin privileges and deletes your local admin account, so there is no user account (with a known password) that can unlock the encrypted volume?
Well, that’s where your institutional recovery key comes in handy.
- Put your original FileVaultMaster.keychain (the one without the private key deleted) on an external drive or thumb drive
- Boot the client machine into recovery mode (Cmd-R at bootup).
- Plug in the drive with the FileVaultMaster.keychain file on it. It should automount in recovery mode, but you can also mount it using Disk Utility.
- Go to Utilities and select Terminal.
- Unlock the keychain: security unlock-keychain /Volumes/NAMEOFDRIVE/FileVaultMaster.keychainThis will prompt you for a password you set when you originally created the institutional recovery key.
- Then, run diskutil cs listwhich will list out the CoreStorage logical volume groups. Find the UUID of the Logical Volume (most likely the LV Name will be Macintosh HD if you went with defaults, and the Content Hint will be Apple_HFS). As the UUID will likely be at least 32 characters long, you probably want to highlight and copy it (to paste later).
- To unlock the volume (to get at the files), run this command diskutil cs unlockVolume YOUR-LONG-UUID-COPIED-FROM-EARLIER -recoveryKeychain /Volumes/NAMEOFDRIVE/FileVaultMaster.keychainYou should then see output like thisStarted CoreStorage operation
Logical Volume successfully unlocked
Logical Volume successfully attached as disk18 Logical Volume successfully mounted as /Volumes/Macintosh HD
Core Storage disk: disk18
Finished CoreStorage opeartion - You can then fetch anything you won’t from the unlocked and mounted disk.
Acknowledgements: I created this tutorial with the help of Apple’s official documentation on it and Rich Trouton’s Unlock or decrypt your FileVault 2-encrypted boot drive from the command line.
2 responses to “Using a FileVault institutional recovery key to unlock an encrypted disk”
[…] more details, check out Using a FileVault institutional recovery key to unlock an encrypted disk Author Alan SiuPosted on April 26, 2016January 25, 2017Tags fdesetup, […]
[…] In my previous blog posts on FileVault, I talked about or showed how to use an institutional recovery key for FileVault encryption: Enabling FileVault Encryption for Client Macs Setting up deferred FileVault encryption Using a FileVault institutional recovery key to unlock an encrypted disk […]