Requirements
You need an administrator computer with macOS 10.11 or later to create and export an institutional recovery key.
- On an administrator computer, open Terminal and execute the following command:
sudo security create-filevaultmaster-keychain /Library/Keychains/FileVaultMaster.keychain
- When prompted, enter a password for the new keychain.
- To unlock the keychain, open Terminal and execute the following command:
security unlock-keychain /Library/Keychains/FileVaultMaster.keychain
- Perform a backup of the keychain and save it in a secure location.
- Open Keychain Access.
- From the menu bar, choose Add Keychain from the File pop-up menu, and then add the FileVaultMaster.keychain file located in /Library/Keychains/.
- Select FileVaultMaster under the Keychains heading in the sidebar, and then select All Items under the Category heading.
- Verify that a private key is associated with the certificate.
- Select the certificate and the private key.
- From the menu bar, choose Export Items from the File pop-up menu. Then save the items as a .p12 file.
The .p12 file is a bundle that contains both the Recovery Key and the private key.
- Create and verify a password to secure the file, and then click OK.
You will be prompted to enter this password when uploading the recovery key to Jamf Pro.
- Quit Keychain Access.
- Store the keychain (FileVaultMaster.keychain) in a secure location so you can use it to access encrypted data at a later time.
Without the keychain, you will not be able to decrypt the computer.
The Recovery Key and the private key are saved as a .p12 file in the location you specified.