Category Filter

How to Manage FileVault

FileVault is a full disc encryption program in Mac OSX 10.9 and later to protect your data and prevent unauthorized users from retrieving the information stored on your Mac. Once you encrypt your device, anyone without a password or recovery key will be unable to log in to your Mac. Without entering the password, the data remains unrecognizable. Once your device boots up and you log in, the data on the drive is made available once again. Any new files are automatically encrypted as they are saved to your machine. It is a good idea to use FileVault so that if a Mac is misplaced or lost, the data will not be compromised.

The whole disc encryption appears seamless while you use the computer.

Note

Once set up, removing the policy or disassociating devices does not disable FileVault.

Difference between encryption and password protection

Encryption converts the data into a scrambled, unreadable format thus ensuring that only authorized users receive access to the information. The primary purpose of encryption is to protect the confidentiality of the content. Password protection, on the other hand, ensures security by locking the information with a password. Possession of the password would allow access to the information which in turn adds-on to vulnerability.

When a disk is encrypted, even if the disk is removed from the Mac and connected to another device, the data remains encrypted and safe. If just password-protected, the data in the disk can be easily accessed by simply removing it from the Mac.

There are several ways to encrypt your macOS devices.

  • Institutional Recovery Key
  • Personal Recovery Key
  • Institutional and Personal Recovery Key

Institutional Recovery Key

These are used by organizations or institutions that require a common key to decrypt all their devices.

If you lose or forget the password, the IRK certificate must be protected with a new password and downloaded once again. An advantage of using IRK is that if the key is lost or corrupted, a new key can be downloaded from the portal itself.

Note:

Supported certificate file formats- .cer, .crt, .pem, .der, .p7b, .p12

Encryption using Institutional Recovery Key

  1. Navigate to Policies > New Policy.
  2. Click on FileVault under macOS > Security. Click Configure.
  3. Select the Enable FileVault option to enable FileVault on Mac devices.
  4. From the drop-down list, select the Institutional Recovery Key option.
  5. By default, the encryption certificate used is HexnodeMDMFileVaultCertificate. Click on Upload New to upload a new Encryption certificate.
  6. Selecting the Skip enabling FileVault at user login option lets admin set the number of times users can skip enabling FileVault when the user logs in to the Mac device.
  7. Next, associate the policy to target devices by navigating to the Policy Targets tab.
  8. Select the required Devices/Device Groups/Users/User Groups/Domains to which the policy is to be associated.
  9. Click Save.

Encrypt Mac using Institutional Recovery key

Creating an encryption certificate

To use a new encryption certificate, the administrator must first create the certificate and upload it to the MDM portal.

You can create and export the recovery key with or without a private key.

Note:

A computer running macOS 10.8 or later is needed

  1. On a macOS computer (10.8+), open Terminal and execute the command:
  2. security create-filevaultmaster-keychain ~/Desktop/FileVaultMaster.keychain
  3. You’ll be asked to enter a password for the new keychain. Re-enter the password again to confirm the password.
  4. A new keychain FileVaultMaster.keychain will be created on your desktop. You can use this file as the private recovery key to decrypt the startup disc of any FileVault configured Mac devices. Therefore, store this file in a safe location such as an external drive or a disk image to use it later during decryption.
  5. Open the Keychain Access by double-clicking on the FileVaultMaster.keychain file located on your desktop. From the left sidebar menu, choose FileVaultMaster. If multiple items are displayed on the right, choose another keychain from the left sidebar. Then, click on FileVaultMaster again to refresh the list to show only two items.
  6. A certificate (FileVault Recovery Key) and private key (FileVault Master Password Key) can be seen. Select only the certificate if you want to export the recovery key without the private key. Otherwise, select both.
    Note:

    • If you are exporting the certificate without the private key, you should store it in a secure place to use it during decryption.

  7. From File, select Export Items. Choose the file format as .p12 and specify the location where the file is to be saved and click Save.
  8. You will be asked to enter a password that will be used to protect the exported items. Enter and verify the password. Click OK. This password is required while uploading the certificate to the portal.
  9. Quit Keychain Access.

The FileVault recovery key and private key (only if exported) will be saved to the specified location. Upload this file to your Hexnode MDM portal.

Decryption using Institutional Recovery Key

Pre-requisites:

  • Make sure that you know the name and format of the startup disk. If not, open Disk Utility from Applications > Utilities. Then check for the required name and format details. This information will be required at a later stage. The format of the startup disk will be Mac OS Extended if you see ‘CoreStorage Logical Volume Group’ instead of ‘APFS Volume’ or ‘Mac OS Extended’.

To decrypt a device using IRK,

  1. If a new encryption certificate is uploaded instead of the default Hexnode MDM FileVault Certificate while configuring the policy,
    • From the system where the uploaded keychain was created, copy the FileVaultMaster.keychain along with the private key to an external drive.
    • Navigate to step 3.
  2. If Hexnode MDM FileVault Certificate is selected as the encryption certificate,
    • Navigate to Admin > General Settings.
    • Under FileVault Settings, you have an option to download Hexnode MDM FileVault Certificate. Enter the password in the space provided and click on the download button on the right.
    • On the OS X machine, navigate to Applications > Utilities and open Keychain Access.
    • Create a new Keychain. Drag and drop the recovery key downloaded previously. You can see a private key and a certificate.
    • Copy the new FileVault Keychain created to an external drive. This file resides in Users\User\Library\Keychains.
    • Navigate to step 3.
  3. Decrypting the client machine

    To unlock the keychain,

    • Restart your client machine while holding Command and R keys.
    • Connect the external drive containing the keychain file to the client machine.
    • Select Terminal from the Utilities folder.
    • Execute the following command to mount the disk image if the private recovery key was stored in a disk image:
      hdiutil attach /path to the disk image including .dmg extension
    • Unlock the FileVault master keychain using the following command:
      security unlock-keychain /path to the FileVaultMaster.keychain on the external drive
    • Enter the master password to unlock the keychain.

    To unlock the encrypted volume,

    • Follow the steps below if your device is using Apple File System (APFS):
      1. Run the following command to unlock the encrypted volume:
        diskutil ap unlockVolume "Name of the startup volume" -recoveryKeychain  /path to FileVaultMaster.keychain on the external drive or disk image
      2. Enter the master password to unlock the keychain and mount the startup disk.
      3. Now, you can retrieve files using command-line tools such as ditto or use Disk Utility after closing Terminal.
    • Here are the extra steps that you must execute if your device is using Mac OS Extended:
      1. Run the below command to list the drives and CoreStorage volumes:
        diskutil cs list
      2. Search for the UUID of the logical volume and copy the UUID.
      3. To unlock the encrypted volume, run the following command:
        diskutil cs unlockVolume "UUID" -recoveryKeychain /path to the keychain on the external drive or disk image
      4. Enter the master password to unlock and mount the encrypted volume.
      5. Now, you can retrieve files using command-line tools such as ditto or use Disk Utility after closing Terminal. You can also run the following command to decrypt the volume:
        diskutil cs decryptVolume "UUID" -recoveryKeychain /path to the keychain

Personal recovery key

Personal Recovery Keys are alphanumeric strings that are generated at the time of encryption. These are automatically generated keys the user will receive upon completion of encryption process. Each key is unique to the machine being encrypted. The user must note down this key as it is not recorded anywhere in the portal.

Encryption using Personal Recovery Key

Manage Filevault with Hexnode MDM

  1. Navigate to Policies > New Policy.
  2. Click on FileVault under macOS > Security. Click Configure.
  3. Select the Enable FileVault option to enable FileVault on mac devices.
  4. Select the Personal Recovery Key option to encrypt the devices using a Personal Recovery Key.
  5. Select the Show Personal Recovery Key to user option to display the recovery key to the user. User must make a note of this key as it is not recorded in the portal. By default, this option is enabled.
  6. Selecting the Skip enabling FileVault at user login option lets admin set the number of times users can skip enabling FileVault when the user logs in to the Mac device.
  7. Navigate to Policy Targets and click on +Add devices to add the Mac devices you wish to associate the policy to. Click Save.

After successfully pushing the policy to your device, you will need to restart your device and enter the password for your Mac, when prompted.

Now, you’ll get an alert informing that the FileVault is being enabled on your volume.

Within a few minutes, you’ll get the FileVault Recovery Key as a popup message. You’ve to note down this key as it will not be recorded elsewhere. Then you can click on Continue, so that your device will turn on after completing the boot process.

Note:

When you come across a circumstance in which an encrypted Mac is decrypted and then re-encrypted, a new personal recovery key will be generated and the old recovery key would be refuted.

Now, the encryption begins. The time taken to complete the encryption depends on how much information is stored in your Mac.

On your Mac, you can see the encryption process when you head on to System Preferences > Security & Privacy > FileVault.

macOS-FileVault-Encryption
Note:

While encrypting, you’ve to check if your device is plugged into an electrical outlet. If not, the encryption process may pause until you connect the power plug.

macOS-FileVault-Encryption-paused

Decryption using Personal Recovery Key

If you are decrypting your device with a Personal Recovery Key, you must enter the key when prompted and the device will be decrypted.

Note:

If you lose your personal recovery key, the device cannot be decrypted. You will have to perform a factory reset to restore your device.

Institutional and Personal Recovery Key

This is the recommended method. In this method, an institutional recovery key as well as a personal recovery key will be generated for the user. The advantage of this method is that, in the event of your personal recovery key being lost, you can still use the institutional recovery to decrypt your device.

Encryption using Institutional and Personal Recovery Key

Manage Filevault with Hexnode MDM

  1. Navigate to Policies > New Policy.
  2. Click on FileVault under macOS > Security. Click Configure.
  3. Select the Enable FileVault option to enable FileVault on Mac devices.
  4. From the drop-down list, select the option Institutional and Personal Recovery Key.
  5. By default, the encryption certificate used is HexnodeMDMFileVaultCertificate. Click on Upload new certificate to upload a new Encryption certificate.
  6. Select the Skip enabling FileVault at user login option if you want to skip enabling FileVault when the user logs in to the mac device. You can set the number of skip attempts.
  7. Navigate to Policy Targets and click on +Add devices to add the Mac devices you wish to associate the policy with. Click Save.

Decryption using Institutional and Personal Recovery Key

You can use either of the keys to decrypt your device.

Note:

For an encrypted device with a FileVault Policy, applying another FileVault policy has no effect.