Mac® Encryption Key Recovery

Written by Ryan Squires on January 9, 2019

Share This Article

Full Disk Encryption (FDE) for Mac® (called FileVault) is becoming an industry standard IT security practice for IT organizations. With increasing data and laptop thefts, it only makes sense that features such as FDE are becoming commonplace. But, most good things come with a caveat. The challenge with FDE emanates from the fact that management of FDE Recovery Keys are one of the most difficult administrative issues surrounding the technology. Thankfully, a modern system management platform is simplifying the Mac encryption key recovery process.

What is Driving Encryption Needs?

Data Breach Laptop Theft

Theft of laptops and compliance regulations are propelling the need to protect data. FDE is now integrated into both Mac and Windows® machines at the OS layer. With FDE software being so accessible, IT organizations can now mandate the use of it. As a result, with FDE properly implemented, desktops and laptops that leverage it are protected when hard drives are “at rest.” The problem is actually implementing and managing FDE. The benefits are clear, but enabling and managing them is a different story all together. Without the proper tools and systems, FDE can lead to a great deal of extra work, and in some cases, extreme problems stemming from the loss of data due to something as simple as a forgotten password.

Forgotten Passwords and Encryption Key Recovery

FileVault 2 Key Recovery forgotten password

So how does FileVault 2, Mac’s encryption software, fit into this discussion? The way that FileVault 2 works is that when a drive is encrypted, it can only be decrypted with the user’s password at startup or with a Recovery Key. From this, IT admins are encouraged to save Recovery Keys in case a user forgets their password, which is something that happens with more regularity than users would like to admit. The issue with having to store Recovery Keys is that having to store hundreds or even thousands of individual Recovery Keys can be an administrative nightmare as well as a security issue.

A Tool to Manage Recovery Keys in the Cloud

Vault recovery keys

Luckily, a next generation cloud identity management solution called JumpCloud® Directory-as-a-Service® has created an FDE Policy for Mac (and Windows BitLocker), and a key escrow service and recovery process that can help to mitigate enterprise deployment and storage of Recovery Keys. This solution is available for two of the most popular systems out there, Mac and Windows, and it takes the burden off IT admins who:

  1. Need to implement FDE across their Mac/Windows environments
  2. Wish to ensure that lost passwords don’t result in lost data or unnecessary downtime and
  3. Require visibility to see who does and who doesn’t have FDE enabled

With JumpCloud, the tedious administrative tasks that generally surround FDE implementation and usage are handed off to a cloud service that simplifies FDE in a way that it becomes usable for all.

Learn More About JumpCloud

Cloud-based Windows management with JumpCloud DaaS

If you’re ready to securely store Mac encryption Recovery Keys in the cloud and not in a spreadsheet, please do not hesitate to contact us to speak to one our product experts. Or, you can sign up for a free account today and see how FDE Policies can make your organization more secure today. With a free account you can manage 10 users for free, forever. Once you’ve signed up, our Knowledge Base can help you get the most of your JumpCloud account.

Ryan Squires

Ryan Squires is a content writer at JumpCloud, a company dedicated to connecting users to the IT resources they need securely and efficiently. He has a degree in Journalism and Media Communication from Colorado State University.

Continue Learning with our Newsletter