Before enabling FileVault disk encryption, choose the type of recovery key that you want to use to recover encrypted data. There are two types of recovery keys:
- Personal (also known as "Individual")
- Uses a unique alphanumeric recovery key for each computer. The personal recovery key is generated on the computer when FileVault encryption takes place and then sent to the Jamf Pro database for encrypted storage . Personal recovery keys can function as a passphrase and unlock or decrypt the encrypted disk.
- Institutional
Uses a shared recovery key containing a private and public key pair. If used, you must create the recovery key with Keychain Access and upload only the public key to Jamf Pro for encrypted storage. Institutional recovery keys can be used across multiple computers to unlock or decrypt the encrypted disk, so Jamf recommends keeping the institutional recovery key in a highly secure location.
Warning:Institutional recovery keys present a greater inherent security concern because they can be used for multiple computers. They also have more limited functionality on Macs with Apple silicon, and Apple no longer recommends them for institutional management in general. For most environments, Jamf recommends using personal recovery keys.
You can also choose to use both recovery keys (personal and institutional) together.
For both institutional and personal recovery keys, Jamf Pro uses the SHA-256 password-based encryption scheme with 256bit AES to store FileVault recovery key data. The salt and passphrase for the encryption are generated within the web application and are not site-specific.