Apple’s macOS has the ability to encrypt the hard drive of the system. If a user forgets this passphrase or is unable to unlock the system with the regular macOS password, a Personal Recovery Keys (PRKs) can be used to boot a system.
Symantec Endpoint Encryption includes the ability to easily manage the Personal Recovery Keys for these macOS systems encrypted with FileVault.
In addition to managing the Personal Recovery Key the SEE FileVault client can be configured to use an “Institutional Recovery Key”, so if the PRK or user password cannot unlock a system, the IRK can be used to do so. This article will cover how to configure the Institutional Recovery Key to be used in conjunction with Personal Recovery Keys.
See the following articles for additional information related to this topic:
To create the Institutional Recovery Key, run the following command, which will create a keychain as well as the certificates to run get the IRK:
sudo security create-filevaultmaster-keychain /Library/Keychains/SEEFileVaultMaster.keychain
Enter the passphrase when prompted:
This will create a keychain called “SEEFileVaultMaster.keychain and will be located in /Library/Keychains
Now open your keychain. You may not see the keychain you just created, and if you do not, simply drag the SEEFileVaultMaster.keychain into the list of keychains in Keychain Access. This will then display the keychain:
You’ll notice the keychain is locked by default. To be able to export the keys needed, you’ll need to unlock the keychain with the following command:
security unlock-keychain /Library/Keychains/SEEFileVaultMaster.keychain, which will show the padlock is now unlocked:
You’ll also notice that there were two entries created:
FileVault Master Password Key (Private key)
FileVault Recovery Key (Public key)
In order to export the keys, you’ll need to unlock the keychain with the unlock command above and then right-click each of the files and export, or export both at once:
Enter and confirm the passphrase of the FileVault Master Password keypair you wish to protect it with:
Important: he only key needed to import into the SEE Management Server is the “FileVault Recovery Key” certificate, which is only the public portion of the certificate/key. The keypair should be stored off the server and in a secure location and only the required folks should have access to this key.
Once you have exported the certificate, you can then upload it to the SEE Management Server:
Check the box for “Use Institutional Recovery Key” and browse to the public portion you just exported with the .cer extension:
This will include this public certificate into the SEE FileVault client so if a user is unable to login to the system, this key can be used to unlock the system.
If you check the box, but do not browse to a key, you’ll get the following error:
The SEE FileVault client has some additional features that will be helpful to you. In a scenario where there are multiple users that may exist on a machine, the “Secure Token” Attribute must be set for the users to be automatically added as a FileVault user. If a user “Bob” has the “Secure Token” attribute set, but “Sally” does not, then Sally will not be enabled as a FileVault user.
If you have a pre-existing account that has been provisioned with the Secure Token attribute, you can enter the user’s credentials on this next screen and any additional users who login to the system will be automatically added, and their Recovery Key will then be sent to the server:
This is not a required configuration, but useful when a user does not have the Secure Token already configured.
Once you complete the rest of the wizard, the SEE Client will be created and will have the IRK built in:
When you go to install the SEE FileVault client, you’ll need both of these files. The MacSettings.xml include the instructions for which SEE Management Server the client will connect back to the server with.