Recover a Password Using the FileVault Recovery Key

This article outlines how to use the recovery key to decrypt the macOS partition. This is helpful with account lockouts when FileVault is enabled.

Prerequisites

Retrieving the Recovery Key

Active Device

To retrieve the recovery key from an active device:

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices
  3. Under Devices, select the device that you need the recovery key for.
  4. Click the Actions menu and select Recovery Key.

Deleted Device

To retrieve the recovery key from a deleted device:

We recommend saving the recovery key before removing or erasing a device from JumpCloud. However, you can retrieve the recovery key from a device that was deleted in the last 90 days using the Get System FDE Key API endpoint. You'll need your API key and the device's system_id. To get your API key, see Accessing Your API Key.

Note:

If you don't know the device's system_id, use Directory Insights and filter by the deletion time range. In the Admin Portal, go to INSIGHTS > Directory and set the Event Type to “system_delete“. When the logs display, expand the entry and select the JSON tab for information about the deleted device.

Shell:

curl --request GET \
--url https://console.jumpcloud.com/api/v2/systems/{system_id}/fdekey \
--header 'x-api-key: REPLACE_KEY_VALUE'

PowerShell Module:

You'll need JumpCloud PowerShell Module installed on your device to run the following command. See Install the JumpCloud PowerShell Module to learn more.

Get-JcSdkSystemFdeKey -SystemId ENTER_SYSTEMID_HERE

Decrypting the Disk with the Recovery Key

Next, enter the recovery key at the FileVault login window. This process differs depending on your OS version and architecture:

Note:

Network connectivity doesn't start until the disk has been decrypted. A hardwired connection may be required to connect to the internet after decrypting FileVault, as wireless connections aren't always supported at the login screen.

Decrypting the Disk on Intel Macs
  1. Power on the device from an off state.
  2. The FileVault window appears. Select the user. 
  3. In the Enter Password field, select ? on the right-hand side.
  4. Click ...reset it using your Recovery Key. This will not reset your password.​​​​​
  5. Enter the recovery key. Hyphens are automatically applied.
  6. Press Enter.
    • The disk decrypts and network connectivity is be restored.
    • Depending on the OS version, you'll either be shown a password prompt for the user or show all active users.
Decrypting the Disk on Apple Silicon Macs

Tip:

See Resolve Lockouts on Apple Silicon Macs to learn more about this process on Apple Silicon.

  1. Power on the device from an off state.
  2. The FileVault window appears. Select the user. 
  3. Press Option Shift Return simultaneously.
  4. Enter the recovery key. Hyphens are automatically applied.
    Enter the FileVault recovery key on macOS devices.
  5. Press Enter.
    • The disk decrypts and network connectivity is restored.
    • Depending on the OS version, you'll either be shown a password prompt for the user or show all active users.

User Authentication

To authenticate the user:

  1. Wait for the JumpCloud Agent to check in. This happens in near real-time, but can take a few minutes.
  2. Enter the user's current JumpCloud password to log in.
    • If the password has changed, you'll be prompted to enter the Old Password and Current Password to complete the sync.
  3. The user is logged in to their account.
Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case