Subscribe to Help Center RSS FeedThis article outlines how to use the recovery key to decrypt the macOS partition. This is helpful with account lockouts when FileVault is enabled.
Prerequisites
- The device must have a FileVault Policy applied. See Create a Mac FileVault 2 Policy to learn more.
Retrieving the Recovery Key
Active Device
To retrieve the recovery key from an active device:
- Log in to the JumpCloud Admin Portal.
If your data is stored outside of the US, check which login URL you should be using depending on your region. If your organization uses LDAP, RADIUS, or requires firewall allow list configuration, the Fully Qualified Domain Names (FQDNs) will also be region specific. See JumpCloud Data Centers for the URLs, FQDNs, and IP addresses.
- Go to Device Management > Devices.
- Under Devices, select the device that you need the recovery key for.
- Click the Actions menu and select Recovery Key.
Deleted Device
To retrieve the recovery key from a deleted device:
We recommend saving the recovery key before removing or erasing a device from JumpCloud. However, you can retrieve the recovery key from a device that was deleted in the last 30 days using the Get System FDE Key API endpoint. You'll need your API key and the device's system_id. To get your API key, see Accessing Your API Key.
If you don't know the device's system_id, use Directory Insights and filter by the deletion time range. In the Admin Portal, go to INSIGHTS > Directory and set the Event Type to “system_delete“. When the logs display, expand the entry and select the JSON tab for information about the deleted device.
- Retrieve the FileVault recovery key using your system_id and API key (API Documentation). Ensure to replace the {system_id} and {API_KEY} values with your values:
curl -X GET https://console.jumpcloud.com/api/v2/systems/{system_id}/fdekey \
-H 'x-api-key: {API_KEY}'
- For MSPs, run this command with the x-org-id variable and ensure to replace {org id} with the organization ID:
curl -X GET https://console.jumpcloud.com/api/v2/systems/{system_id}/fdekey \
--header 'x-org-id: {org id}' \
-H 'x-api-key: {API_KEY}'
- Retrieve the FileVault recovery key using your system_id and API key. Ensure to replace the {system_id} and {API_KEY} values with your values:
curl --location "https://console.jumpcloud.com/api/v2/systems/{system_id}/fdekey"
--header "x-api-key: {API_KEY}"
- For MSPs, run this command with the x-org-id variable and ensure to replace {org id} with the organization ID:
curl --location "https://console.jumpcloud.com/api/v2/systems/{system_id}/fdekey"
--header "x-org-id: {ORG_ID}" --header "x-api-key: {API_KEY}"
You'll need JumpCloud PowerShell Module installed on your device to run the following command. See Install the JumpCloud PowerShell Module to learn more.
- Retrieve the FileVault recovery key using your system_id and API key. Ensure to replace the {system_id} and {API_KEY} values with your values:
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("x-api-key", "{API_KEY}")
$response = Invoke-RestMethod 'https://console.jumpcloud.com/api/v2/systems/{system_id}/fdekey' -Method 'GET' -Headers $headers
$response | ConvertTo-Json
- For MSPs, include the x-org-id variable and ensure to replace {org id} with the organization ID:
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("x-org-id", "{ORG_ID}")
$headers.Add("x-api-key", "{API_KEY}")
$response = Invoke-RestMethod 'https://console.jumpcloud.com/api/v2/systems/{system_id}/fdekey' -Method 'GET' -Headers $headers
$response | ConvertTo-Json
- See Configure JumpCloud API Endpoints in Postman to download and import the following API endpoint into Postman:
- Get System FDE Key - Retrieve the FileVault recovery key.
- Note: You will need to supply your API Key and the device's system_id.
- If you are an MSP, you will also need to supply the OrgID. Otherwise, this can be left blank in Postman.
- Get System FDE Key - Retrieve the FileVault recovery key.
Decrypting the Disk with the Recovery Key
Next, enter the recovery key at the FileVault login window. This process differs depending on your OS version and architecture:
- For Intel Macs, jump to Decrypting the Disk on Intel Macs.
- For Apple Silicon Macs, jump to Decrypting the Disk on Apple Silicon Macs.
Network connectivity doesn't start until the disk has been decrypted. A hardwired connection may be required to connect to the internet after decrypting FileVault, as wireless connections aren't always supported at the login screen.
- Power on the device from an off state.
- The FileVault window appears. Select the user.
- In the Enter Password field, select ? on the right-hand side.
- Click ...reset it using your Recovery Key. This will not reset your password.
- Enter the recovery key. Hyphens are automatically applied.
- Press Enter.
- The disk decrypts and network connectivity is be restored.
- Depending on the OS version, you'll either be shown a password prompt for the user or show all active users.
See Resolve Lockouts on Apple Silicon Macs to learn more about this process on Apple Silicon.
- Power on the device from an off state.
- The FileVault window appears. Select the user.
- Press Option + Shift + Return simultaneously.
- Enter the recovery key. Hyphens are automatically applied.
- Press Enter.
- The disk decrypts and network connectivity is restored.
- Depending on the OS version, you'll either be shown a password prompt for the user or show all active users.
User Authentication
To authenticate the user:
- Wait for the JumpCloud Agent to check in. This happens in near real-time, but can take a few minutes.
- Enter the user's current JumpCloud password to log in.
- If the password has changed, you'll be prompted to enter the Old Password and Current Password to complete the sync.
- The user is logged in to their account.
In this Article
Learn More