How to create a SEE Client and Institutional Recovery Key for Symantec Endpoint Encryption FileVault Recovery (client creation)
search cancel

How to create a SEE Client and Institutional Recovery Key for Symantec Endpoint Encryption FileVault Recovery (client creation)


Article ID: 213010


Updated On:


Endpoint Encryption


Apple’s macOS has the ability to encrypt the hard drive of the system.  If a user forgets this passphrase or is unable to unlock the system with the regular macOS password, a Personal Recovery Keys (PRKs) can be used to boot a system. 
Symantec Endpoint Encryption includes the ability to easily manage the Personal Recovery Keys for these macOS systems encrypted with FileVault.  

In addition to managing the Personal Recovery Key, the SEE FileVault client can be configured to use an “Institutional Recovery Key”, so if the PRK or user password cannot unlock a system, the IRK can be used to do so. This article will cover how to configure the Institutional Recovery Key to be used in conjunction with Personal Recovery Keys.


See the following articles for additional information related to this topic:

213002 - How to install and use the SEE FileVault client to enable encryption and manage Recovery Keys with the SEE Management Server

213004 - Using a Personal Recovery Key to unlock a machine managed by the Symantec Endpoint Encryption FileVault Client

213006 - Using the SEE Helpdesk Web Portal to obtain the Personal Recovery Key for SEE FileVault clients



To create the Institutional Recovery Key, run the following command, which will create a keychain as well as the certificates to run and get the IRK:

sudo security create-filevaultmaster-keychain /Library/Keychains/SEEFileVaultMaster.keychain

Enter the passphrase when prompted:

This will create a keychain called “SEEFileVaultMaster.keychain and will be located in /Library/Keychains

Now open your keychain.  You may not see the keychain you just created, and if you do not, simply drag the SEEFileVaultMaster.keychain into the list of keychains in Keychain Access.  

This will then display the keychain:

You’ll notice the keychain is locked by default.  To be able to export the keys needed, you’ll need to unlock the keychain with the following command:

security unlock-keychain /Library/Keychains/SEEFileVaultMaster.keychain, which will show the padlock is now unlocked:

You’ll also notice that there were two entries created:
FileVault Master Password Key (Private key)
FileVault Recovery Key (Public key)

In order to export the keys, you’ll need to unlock the keychain with the unlock command above and then right-click each of the files and export, or export both at once. 


Enter and confirm the passphrase of the FileVault Master Password keypair you wish to protect it with:

Important: he only key needed to import into the SEE Management Server is the “FileVault Recovery Key” certificate, which is only the public portion of the certificate/key.  

The keypair should be stored off the server and in a secure location and only the required folks should have access to this key.

Once you have exported the certificate, you can then upload it to the SEE Management Server:

Check the box for “Use Institutional Recovery Key” and browse to the public portion you just exported with the .cer extension:

This will include this public certificate into the SEE FileVault client so if a user is unable to login to the system, this key can be used to unlock the system.  

Note: If you check the box, but do not browse to a key, you’ll get an error.


The SEE FileVault client has some additional features that will be helpful to you.  

In a scenario where there are multiple users that may exist on a machine, the “Secure Token” Attribute must be set for the users to be automatically added as a FileVault user.  

If a user “Bob” has the “Secure Token” attribute set, but “Sally” does not, then Sally will not be enabled as a FileVault user.  

If you have a pre-existing account that has been provisioned with the Secure Token attribute. 

You can then enter the user’s credentials on this next screen and any additional users who login to the system will be automatically added, and their Recovery Key will then be sent to the server:

This is not a required configuration, but useful when a user does not have the Secure Token already configured.

Once you complete the rest of the wizard, the SEE FileVault Client will be created and will have the IRK built in:

When you go to install the SEE FileVault client, you’ll need both of these files. The MacSettings.xml include the instructions for which SEE Management Server the client will connect back to the server with.


Additional Information

174845 - Troubleshooting Symantec Endpoint Encryption for File Vault Add User Dialog keeps coming up

225093 - Mac FileVault Client cannot connect to Endpoint Encryption Management Server

161042 - See Section "About the Symantec Endpoint Encryption for FileVault logs"