This article outlines how to use the recovery key to decrypt the macOS partition. This is helpful with account lockouts when FileVault is enabled.
Prerequisites:
- The device must have a FileVault Policy applied. See Create a Mac FileVault 2 Policy to learn more.
This workflow is only supported on Intel-based Macs. Apple Silicon Macs don't support this recovery method. See Resolve Lockouts on Apple Silicon Macs to learn more.
Retrieving the Recovery Key
To retrieve the recovery key from an active device:
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Devices.
- Under Devices, select the device that you need the recovery key for.
- Click the Actions menu and select Recovery Key.
To retrieve the recovery key from a deleted device:
We recommend saving the recovery key before removing a device from JumpCloud or erasing the device. However, you can retrieve the recovery key from a device that was deleted in the last 90 days using this command from the API endpoint Get System FDE Key. You'll need your API key and the device's system_id. To get your API key, see Accessing Your API Key.
If you don't know the device's system_id, you can use Directory Insights and filter the time range to when the device was deleted. In the Admin Portal, go to INSIGHTS > Directory and set the Event Type to “system_delete“. When the logs display, expand the appropriate entry and select the JSON tab for information from the device that was deleted.
Shell:
curl --request GET \
--url https://console.jumpcloud.com/api/v2/systems/{system_id}/fdekey \
--header 'x-api-key: REPLACE_KEY_VALUE'
PowerShell:
$headers=@{}
$headers.Add("x-api-key", "REPLACE_KEY_VALUE")
$response = Invoke-RestMethod -Uri 'https://console.jumpcloud.com/api/v2/systems/{system_id}/fdekey' -Method GET -Headers $headers
Decrypting the Disk with the Recovery Key
Network connectivity doesn't start until the disk has been decrypted. A hardwired network connection may be required to connect to the internet after decrypting FileVault, as Apple doesn't provide a way to connect to a wireless network at the login screen.
To decrypt the disk using the recovery key:
- Start the device.
- Select the user.
- In the Enter Password field, select ? on the right-hand side.
- Click ...reset it using your Recovery Key. This will not reset your password.
- Enter the recovery key. Hyphens are automatically applied.
- Press Enter.
- The hard disk will now decrypt and network connectivity will be restored.
- Depending on the OS version, you'll either be shown a password prompt for the user or show all active users.
User Authentication
To authenticate the user:
- Wait for the JumpCloud Agent to check in. This happens in near real-time, but could take a few minutes.
- Enter the user's current JumpCloud password to log in.
- If the password has changed, you'll be prompted to enter the Old Password and Current Password to complete the sync.
- The user is logged into their account.