How do I obtain the FileVault2 recovery key after it has been modified?

108 views Asked by At

I have a Cocoa application on OSX, which manages FileVault Disk Encryption on behalf of the user and reports back the recovery key to a server once the recovery key is generated. However, if the user changes the recovery key using 'changerecovery' command, is there anyway to listen to this event and obtain the recovery key so as to update the server?

1

There are 1 answers

0
Jack Lawrence On

As an alternative solution, have you considered using an institutional FileVault recovery key? With this method, you create a single key, install it on every machine that you manage, and then you can use that key to unlock the machine. This key is independent of the user's own recovery key.

There are directions here to create and deploy an institutional key: https://support.apple.com/en-us/HT202385. In addition to the manual deployment steps described in that support document, you can automatically deploy and enforce your institutional key using macOS/OS X Server Profile Manager so that it cannot be removed by the user. Instructions to do that are available here: http://impdossier.blogspot.com/2015/12/enable-file-vault-by-profile-manager.html