Personal recovery key for FileVault

expand collapsive

On one of our Mac while setting up the FileVault we missed the recovery key. Are there any possible ways to get the personal key from the device end?

All Replies

  • Zach Goodman

    Zach Goodman


    Zach Goodman


    Hi @keanu, the recovery key is only generated once while initially setting up the FileVault encryption on Mac. Post encryption, there is no way to find out the recovery key that was priorly generated. For your case, you can either generate a new key and disable the older keys by going to System Preferences > Security & Privacy > FileVault > [Click the lock to make changes] > Turn off FileVault .. and start over again or you can replace the recovery key. If you wish to go with the later, you can run the following script on the terminal –

    1. For personal recovery key
      sudo fdesetup changerecovery –personal
    2. For institutional recovery key
      sudo fdesetup changerecovery institutional –certificate /path_to_file

    fdesetup is the command-line tool for Mac to enable, disable and configure FileVault. For generating a new personal recovery key, running the code will generate a new recovery key and displayed it. However, for generating a new institutional recovery key, you will need to have the new key available as a certificate file stored locally on the system. You may refer to this Apple article for steps to create a new FileVault keychain.

    To address such issues, Hexnode has introduced the Escrow Personal Recovery Key option for macOS 10.13+ devices. When this option is enabled, Hexnode can retrieve and back up the personal recovery key on your behalf. This way, you can use Hexnode to automatically encrypt or decrypt the recovery key or you can manually specify the certificate to encrypt the recovery key. The option saves you the trouble of worrying about the recovery key while setting up FileVault and also provides an additional level of security by removing the chances of compromising your recovery key in a data breach or other security incident.

    Learn all the macOS FileVault options available for configuration by visiting How to Manage FileVault.

    Zach Goodman
    Hexnode UEM