This article outlines how to use the recovery key to decrypt the macOS partition. This is helpful with account lockouts when FileVault is enabled.
Prerequisites
- The device must have a FileVault Policy applied. See Create a Mac FileVault 2 Policy to learn more.
Retrieving the Recovery Key
Active Device
To retrieve the recovery key from an active device:
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Devices.
- Under Devices, select the device that you need the recovery key for.
- Click the Actions menu and select Recovery Key.
Deleted Device
To retrieve the recovery key from a deleted device:
We recommend saving the recovery key before removing or erasing a device from JumpCloud. However, you can retrieve the recovery key from a device that was deleted in the last 90 days using the Get System FDE Key API endpoint. You'll need your API key and the device's system_id. To get your API key, see Accessing Your API Key.
If you don't know the device's system_id, use Directory Insights and filter by the deletion time range. In the Admin Portal, go to INSIGHTS > Directory and set the Event Type to “system_delete“. When the logs display, expand the entry and select the JSON tab for information about the deleted device.
Shell:
curl --request GET \
--url https://console.jumpcloud.com/api/v2/systems/{system_id}/fdekey \
--header 'x-api-key: REPLACE_KEY_VALUE'
PowerShell Module:
You'll need JumpCloud PowerShell Module installed on your device to run the following command. See Install the JumpCloud PowerShell Module to learn more.
Get-JcSdkSystemFdeKey -SystemId ENTER_SYSTEMID_HERE
Decrypting the Disk with the Recovery Key
Next, enter the recovery key at the FileVault login window. This process differs depending on your OS version and architecture:
- For Intel Macs, jump to Decrypting the Disk on Intel Macs.
- For Apple Silicon Macs, jump to Decrypting the Disk on Apple Silicon Macs.
Network connectivity doesn't start until the disk has been decrypted. A hardwired connection may be required to connect to the internet after decrypting FileVault, as wireless connections aren't always supported at the login screen.
- Power on the device from an off state.
- The FileVault window appears. Select the user.
- In the Enter Password field, select ? on the right-hand side.
- Click ...reset it using your Recovery Key. This will not reset your password.
- Enter the recovery key. Hyphens are automatically applied.
- Press Enter.
- The disk decrypts and network connectivity is be restored.
- Depending on the OS version, you'll either be shown a password prompt for the user or show all active users.
See Resolve Lockouts on Apple Silicon Macs to learn more about this process on Apple Silicon.
- Power on the device from an off state.
- The FileVault window appears. Select the user.
- Press Option + Shift + Return simultaneously.
- Enter the recovery key. Hyphens are automatically applied.
- Press Enter.
- The disk decrypts and network connectivity is restored.
- Depending on the OS version, you'll either be shown a password prompt for the user or show all active users.
User Authentication
To authenticate the user:
- Wait for the JumpCloud Agent to check in. This happens in near real-time, but can take a few minutes.
- Enter the user's current JumpCloud password to log in.
- If the password has changed, you'll be prompted to enter the Old Password and Current Password to complete the sync.
- The user is logged in to their account.