Using a Personal Recovery Key to unlock a machine managed by the Symantec Endpoint Encryption FileVault Client
search cancel

Using a Personal Recovery Key to unlock a machine managed by the Symantec Endpoint Encryption FileVault Client

book

Article ID: 213004

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

SEE FileVault can manage the recovery keys for macOS systems that are encrypted with FileVault.  When a Personal Recovery Key is configured, the SEE FileVault client will upload this to the SEE Management Server.  This is a critical component for recovery.  

If a user forgets the passphrase, and SEE FileVault was used, the end user can call helpdesk and can provide a recovery key to unlock the system and configure a new macOS password.

For information on how to install the SEE FileVault client, see article X.
For information on how to use a Symantec Encryption Management Server Helpdesk recovery, see article X.

This article goes through the flow.

 

See the following articles for additional information related to this topic:

213010 - How to create a SEE Client and Institutional Recovery Key for Symantec Endpoint Encryption FileVault Recovery (client creation)

213002 - How to install and use the SEE FileVault client to enable encryption and manage Recovery Keys with the SEE Management Server

213006 - Using the SEE Helpdesk Web Portal to obtain the Personal Recovery Key for SEE FileVault clients

Resolution

First, when a system is encrypted, the system does not look or behave much differently than a non-encrypted system.  However, if you have encrypted the system, you’ll have some additions:

In the above screenshot, click the little arrow icon above.

TIP: If you don't see the option to enter a recovery key, click the Question Mark "?" icon in the login field and see if this will help you proceed.

Next, the Recovery Key 

Once the recovery key is entered, you will be prompted to enter a new password to reset the macOS password for the user. Note that this will only work for a local user account. You cannot reset an Active Directory account with a recovery key. This is the case whether or not Endpoint Encryption is installed:

Once the password has been entered, and the user logs in, a new Personal Recovery Key will be generated and SEE FileVault will prompt the user for the new password entered, and this new PRK will then be sent to the Symantec Encryption Management Server:

As is mentioned in the screenshot above, it is very important for the user to enter the macOS password.  If this is not entered, no Personal Recovery Key will be sent to the SEE Management Server, which will prevent further recovery from happening.  It is highly recommended for the end user to enter the passphrase here.

 

Additional Information

Troubleshooting:
174845 - Troubleshooting Symantec Endpoint Encryption for File Vault Add User Dialog keeps coming up

225093 - Mac FileVault Client cannot connect to Endpoint Encryption Management Server

161042 - See Section "About the Symantec Endpoint Encryption for FileVault logs"

Powered by Wolken Software