Guide for Apple IT: Managing FileVault Recovery Keys

Posted on May 5, 2020

One of the top priorities for any company is to keep its sensitive data safe from being compromised. For businesses that run on Apple, FileVault is an essential tool that does just that. By encrypting all of the information on a Mac device’s startup disk, FileVault makes company information unreadable to unauthorized users.

In this article, we’re going to talk about what FileVault is, how it can be used to secure company data, what precautions IT should take while deploying it, and how FileVault Recovery Keys should be managed. Here’s a quick overview:

  • What is FileVault 2?
  • A Brief History of FileVault
  • Enhancing Security with FileVault + MDM

What is FileVault 2?

Company devices contain a lot of sensitive data that, if compromised, could put your business, employees, or customers at risk. To make it as difficult as possible for unauthorized users to access this data, Apple created FileVault.

Essentially, FileVault encrypts all data on Mac device startup disks, only allowing it to be accessed after proper login credentials have been entered. Because FileVault encrypts data in the background, employees can still use their devices while encryption is taking place.

filevault recovery key managementImage source: support.apple.com

Once FileVault is enabled, it cannot be turned off until the initial encryption is done. This can take a while, depending on the hard drive and file system types, but since users can still interact with their devices during encryption, this shouldn’t have a noticeable impact on their ability to work.

FileVault can be complemented by other security features, such as requiring users to log back in to their devices whenever a device wakes from sleep mode or leaves the screen saver. After a device is initially turned on, only FileVault-enabled users can log on – anyone else will have to wait until the disk has been decrypted by a FileVault-enabled user.

In the event that users do not remember their login credentials and cannot access their computers, an administrator can use a FileVault Recovery Key (which can be created when FileVault is initially enabled, rotated using an MDM, or created manually via Terminal commands – more on how to do this later on) to restore the data. If users cannot access their computers and administrators do not have this key, no one will be able to log in, and the files and settings on the computer will remain inaccessible.

Why is FileVault Important?

Encryption is essential to keep company and customer information safe. If an employee loses a laptop filled with sensitive data, it could be seen, copied, or otherwise compromised. Using FileVault disk encryption is a great way to avoid unauthorized access of this data because all of it will be encrypted and can only be read once a FileVault-enabled user authenticates, the login password is entered correctly, or a Recovery Key is used. So long as the unauthorized user doesn’t have this information, everything stored within the device is secure.

In some cases, security features like full disk encryption are already activated on devices, such as the iMac Pro or other Mac models that have an Apple T2 chip. We’ll talk more about these later, just know that these models are automatically encrypted – even if IT hasn’t enabled FileVault on them. That said, enabling FileVault on these devices will still add another layer of security to them, requiring users to enter their login credentials to decrypt the disk.

How Do I Set Up FileVault Encryption?

You can use an MDM solution to deploy, monitor, and manage FileVault on all of your macOS devices. We’ll cover how this works in depth later in the article. If you aren’t using an MDM solution, then you’ll have to enable FileVault manually on each device.

Once FileVault 2 is enabled, you will be able to choose what steps must be taken to access the startup disk if a password is forgotten. There are two options:

  1. Unlock using an iCloud account and password: This option simply uses iCloud account information to verify if a user is authorized to unlock the startup disk or not.
  2. Unlock using a FileVault Recovery Key: If you choose the FileVault Recovery Key option, it’s crucial that you keep a copy of the key securely stored somewhere (but not in the encrypted startup disk). Without this key, the information on the device will be completely inaccessible.

In most enterprise settings, choosing a FileVault Recovery Key and storing it in a safe location (not on the encrypted device) is ideal. More on this later.

 

A Brief History of FileVault

FileVault has been a part of macOS since 2005 with the release of Mac OS X Panther (10.3). While it began with limited encryption power, a lot has changed since then. Today, FileVault 2 (which is the latest iteration of FileVault, introduced in Mac OS X 10.7), can perform full disk encryption on the fly. In this section, we’re going to take a closer look at how FileVault began, and what it’s capable of now.

Legacy FileVault

The first version of FileVault was introduced in Mac OS X Panther (10.3). In these early days, its encryption powers were limited; it could only encrypt a user’s home folder, leaving the rest of the data stored on the device unprotected. That said, it was still able to encrypt data on the fly, while users were still using the device.

This early form of FileVault also let users create FileVault Recovery Keys to decrypt and access their home folder data. This was a safety precaution that made sure users wouldn’t lose all of their data in the event that they forgot their Mac user password credentials. They could also use a master password to decrypt the computer, which was separate from the user password.

Since the release of FileVault 2, Apple has begun referring to this early iteration as Legacy FileVault. We’ll use this terminology in the rest of this section to make it clear which one we’re talking about.

FileVault 2

In Mac OS X Lion (10.7), Apple released FileVault 2. This was a redesigned and more robust encryption tool that improved on a number of capabilities present in Legacy FileVault. For instance, while Legacy FileVault could only encrypt a user’s home folder data, FileVault 2 seamlessly encrypts the entire startup disk – while users are working on their Mac devices, and with minimum drops in machine performance.

FileVault 2 also stepped up the strength of its encryption – Apple notes that “FileVault 2 uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk.” FileVault 2 also works with Time Machine to seamlessly create automated backup sets. And, as we’ll cover later, FileVault 2 can be deployed and managed locally by users or centrally by an IT department using an MDM solution.

FileVault 2 & Secure Token

While FileVault 2 has made a lot of improvements on Legacy FileVault, it still presents IT administrators with a few challenges. For instance, Apple introduced the Secure Token account attribute in macOS High Sierra. As of this release, if you want to make an account enabled for FileVault on an encrypted Apple File System (APFS) volume, then that account must first have a Secure Token added to it. Once an account is granted a Secure Token, it can create other accounts that are automatically granted a Secure Token.

The problem? Whenever an Active Directory account is used or a local account is created using command-line tools, they are not automatically granted a Secure Token. And because they do not have a Secure Token association, they cannot be enabled for FileVault. This means IT has to take extra steps to enable these accounts for FileVault 2.

FileVault 2 & Bootstrap Token

With macOS Catalina Apple introduced a new feature known as Bootstrap Token. Bootstrap Token can assist with granting a Secure Token to both Active Directory mobile accounts and the optional Automated Device Enrollment created user account. When a Bootstrap Token is escrowed to Kandji, macOS Catalina can request the token from Kandji when Active Directory Mobile accounts sign in and generate a Secure Token for that user account.

Kandji fully supports the Bootstrap Token feature. 

FileVault 2 Security Best Practices with T2 Security Chip

We mentioned earlier that some newer Mac devices include a T2 security chip. Among many other security improvements, devices with the T2 security chip already have their hard drives encrypted, whether FileVault 2 is enabled or not. This doesn’t mean there’s no reason to use FileVault 2. Even if the data on the Mac device is already encrypted, turning on FileVault 2 will also enable other security features, like requiring users to enter their login credentials to decrypt the disk. So, it’s recommended that you use FileVault 2 on your T2 Mac device, except in cases where the device is shared among multiple users, such as a computer lab.

While it’s possible to enable IT administrator accounts for FileVault, it’s generally recommended that you don't do this, and instead have the fewest number of FileVault-enabled users as possible.This will cut down the security risk posed by having multiple accounts that can decrypt your company devices.

 

Enhancing Security with MDM + FileVault 2

Using an MDM solution, you can deploy, monitor, and manage FileVault 2 across your company devices. Our MDM solution, Kandji, has a few different Parameters you can use to do this. Here’s a quick overview of them:

Enable FileVault 2 Parameter

hide filevault 2 recovery key-1

The “Enable FileVault 2” Parameter will enforce all enrolled macOS devices to enable FileVault disk encryption, after which Mac devices will be prompted to restart to complete the FileVault setup. In the event that FileVault was enabled before the device was enrolled in Kandji, the key won’t be captured, and you’ll need to turn on the “Escrow FileVault Recovery Keys to Kandji” Parameter.

With the Enable FireVault 2 Parameter, you can also choose whether you want to show the FileVault Recovery Keys to the user while enabling FileVault or not. Although available in the MDM Framework, we’re one of the few MDM solutions that give you this level of control over who can and cannot see the Recovery Key.

As a rule of thumb, if you’re a company that requires high levels of security, then you don’t want your employees to see these keys. It just opens up an unnecessary security risk since employees could decrypt the disk themselves by using them. If FileVault keys are escrowed by an administrator to MDM, they can always be given out to the end user when needed, such as if you need to reset a FileVault user’s password.

By hiding the keys, IT will retain the power to delete users or wipe their disks when necessary — without worrying about the FileVault key being used by a malicious end user to access the data after these actions are taken. In the event that a user has seen and recorded the decryption key, then they can still decrypt the startup disk.

Sometimes after using a FileVault Recovery Key, such as giving it out to an end user in order to reset their password, it may be desirable to generate a new FileVault Recovery Key, this can be done easily via Terminal, just use this command:

sudo fdesetup changerecovery -personal

 

Escrow FileVault Recovery Keys to Kandji Parameter

filevault 2 recovery key escrow regeneration

When you enable the “Escrow FileVault Recovery Keys to Kandji” Parameter, all newly created FileVault Recovery Keys will be captured by Kandji during the FileVault setup. You can see the keys by opening up the Kandji Web App, going into the Mac device’s computer record, clicking more (…), and then “View FileVault recovery Key.”

view filevault 2 recovery key kandji

Report User Accounts with FileVault Recovery Keys Escrowed to iCloud Parameter

macOS gives users the option to store their FileVault Recovery Key in their iCloud account. Because this leaves the keys vulnerable to being compromised by an unauthorized party, this is not recommended. By enabling the “Report User Accounts with FileVault Recovery Keys Escrowed to iCloud” Parameter, you’ll be alerted whenever a Recovery Key is stored in iCloud.

report user accounts with filevault recovery keys escrowed

Regenerating FileVault Recovery Keys

generate a new filevault recovery key-1

Kandji also has a built-in option for regenerating FileVault Recovery Keys when they are unknown, so if you enroll a Mac that has already been encrypted, Kandji can escrow a new FileVault Recovery Key by automatically prompting the end user.

automatically regenerate filevault key-2

Alternatively, you can force the Mac to create a new FileVault Recovery Key by entering a command in Terminal. Once this is complete, Kandji will capture the new key, as long as you’ve enabled the parameter “Escrow FileVault Recovery Keys to Kandj.”

To generate the new key via Terminal, just use this command:

sudo fdesetup changerecovery -personal

 

The Kandj team is constantly building solutions to streamline your workflow and secure your devices. With powerful and time-saving features like zero touch deployment, one-click security and compliance templates, and plenty more, Kandji has everything you need to bring your Apple fleet into the modern workplace. Request access to Kandji today.

 

Share post
Subscribe to blog

The Latest in Apple Enterprise Management

Subscribe for regular updates and guides written exclusively for Mac admins.

Tactical tips 2x per month