Mac® FileVault® Key Escrow

Written by Ryan Squires on January 3, 2019

Share This Article

With IT admins beginning to implement FileVault for Full Disk Encryption (FDE), a key step in the process is to escrow Recovery Keys. Escrow is a handy way to ensure that a locked out user doesn’t remain that way. As we all know, a forgotten password can mean loss of data and frustrated users in conjunction with FDE. Now, there is a simple Mac® FileVault® key escrow service that IT admins can leverage to stay ahead of forgotten passwords and their ramifications.

Full Disk Encryption Primer

FDE is an important security mechanism for IT admins, but it can often be hard to implement. In fact, with Apple’s most recent changes to the FileVault enablement process, it is even more difficult than before. What we’re talking about here is the fact that IT admins can only implement FileVault for users with a Secure Token. For more information on Secure Token and why it is critical to understand before enabling FileVault, check out our detailed resources: a support article and product update blog.

Once FileVault has been enabled the hard disk and data are not accessible without the proper password. Apple created a recovery process so that if and when a password is forgotten, the data is not lost forever. But, that process can be confusing. In order to log back in to a Mac® without the correct password, a user would require either a Personal or Institutional Recovery Key.  A Personal Key is automatically generated a the time FileVault is enabled unless there is an Institutional Key already installed on the system. It can be a convoluted process, but we will describe the two keys below.

Two Types of FileVault Keys

FileVault Keys

For our sake, we will start with the Personal Key. A Personal Key is made to unlock an individual endpoint if and when a password is forgotten. Of the two types, the Personal Key is much more secure. That’s because it is not shared. But, it is not without its faults. Because of its individual nature, maintaining copies of this highly sensitive key is a difficult task. What are IT admins to rely upon? Spreadsheets, sticky notes, and safes?

The second is an Institutional Key; this key is an organization-wide key that can be used to unlock an organization’s Mac endpoints with FileVault enabled. Institutional Keys are manually generated, and as stated above, are less secure due to their shared nature. Additionally, the Institutional Key must be installed independently on each system in order to decrypt a volume where a password has been forgotten. What this results in is a mess of work. Clearly, the process of managing Recovery Keys for large organizations can represent significant pain points.

Simplified Key Management

Key Management

From this challenge of managing keys, a cloud identity management platform has emerged to help simplify these management chores. What JumpCloud® Directory-as-a-Service® has created is a secure, cloud-based FileVault Key Escrow service. This Mac user and system management solution can create policies to enable FileVault and safely store Personal Recovery Keys. JumpCloud only manages Personal Keys and does not manage Institutional Keys.

The fear that IT admins had to live with has to do with their users writing their Personal Recovery Keys on sticky notes and hiding them in a filing cabinet or under their keyboard or that they as admins were stuck holding the bag on securely vaulting all of these keys. With JumpCloud’s Key Escrow service, that worry is eliminated. As a cloud directory service, FDE policies are a core part of its GPO-like cross-platform system management functions within Directory-as-a-Service. All IT admins have to do is simply turn on the FileVault policy and the escrowed Personal Keys are securely stored and only displayed when needed. Cool, right?

Learn More About JumpCloud®

learn more about recovery keys

Security is baked into everything JumpCloud does, and the Mac FileVault Key Escrow service is a key feature of that stance. If you’re eager to see how a cloud directory service solution can drastically up the security posture of your organization, feel free to reach out. Alternatively, you can check our Knowledge Base and YouTube channel for helpful hints, best practices, and informative whiteboard videos. For those who want to just get to work and manage users, sign up for a free account today. Our free account will allow you to manage up to 10 users for free, forever. No credit card required.

Ryan Squires

Ryan Squires is a content writer at JumpCloud, a company dedicated to connecting users to the IT resources they need securely and efficiently. He has a degree in Journalism and Media Communication from Colorado State University.

Continue Learning with our Newsletter