Subscribe to Help Center RSS FeedThis article outlines how to use the recovery key to decrypt the macOS partition. This is helpful with account lockouts when FileVault is enabled.
Prerequisites
- The device must have a FileVault Policy applied. See Create a Mac FileVault 2 Policy to learn more.
Retrieving the Recovery Key
Active Device
To retrieve the recovery key from an active device:
- Log in to the JumpCloud Admin Portal.
If your data is stored outside of the US, check which login URL you should be using depending on your region, see JumpCloud Data Centers to learn more.
- Go to Device Management > Devices.
- Under Devices, select the device that you need the recovery key for.
- Click the Actions menu and select Recovery Key.
Deleted Device
To retrieve the recovery key from a deleted device:
We recommend saving the recovery key before removing or erasing a device from JumpCloud. However, you can retrieve the recovery key from a device that was deleted in the last 30 days using the Get System FDE Key API endpoint. You'll need your API key and the device's system_id. To get your API key, see Accessing Your API Key.
If you don't know the device's system_id, use Directory Insights and filter by the deletion time range. In the Admin Portal, go to INSIGHTS > Directory and set the Event Type to “system_delete“. When the logs display, expand the entry and select the JSON tab for information about the deleted device.
Shell:
curl --request GET \
--url https://console.jumpcloud.com/api/v2/systems/{system_id}/fdekey \
--header 'x-api-key: REPLACE_KEY_VALUE'
PowerShell Module:
You'll need JumpCloud PowerShell Module installed on your device to run the following command. See Install the JumpCloud PowerShell Module to learn more.
Get-JcSdkSystemFdeKey -SystemId ENTER_SYSTEMID_HERE
Decrypting the Disk with the Recovery Key
Next, enter the recovery key at the FileVault login window. This process differs depending on your OS version and architecture:
- For Intel Macs, jump to Decrypting the Disk on Intel Macs.
- For Apple Silicon Macs, jump to Decrypting the Disk on Apple Silicon Macs.
Network connectivity doesn't start until the disk has been decrypted. A hardwired connection may be required to connect to the internet after decrypting FileVault, as wireless connections aren't always supported at the login screen.
- Power on the device from an off state.
- The FileVault window appears. Select the user.
- In the Enter Password field, select ? on the right-hand side.
- Click ...reset it using your Recovery Key. This will not reset your password.
- Enter the recovery key. Hyphens are automatically applied.
- Press Enter.
- The disk decrypts and network connectivity is be restored.
- Depending on the OS version, you'll either be shown a password prompt for the user or show all active users.
See Resolve Lockouts on Apple Silicon Macs to learn more about this process on Apple Silicon.
- Power on the device from an off state.
- The FileVault window appears. Select the user.
- Press Option + Shift + Return simultaneously.
- Enter the recovery key. Hyphens are automatically applied.
- Press Enter.
- The disk decrypts and network connectivity is restored.
- Depending on the OS version, you'll either be shown a password prompt for the user or show all active users.
User Authentication
To authenticate the user:
- Wait for the JumpCloud Agent to check in. This happens in near real-time, but can take a few minutes.
- Enter the user's current JumpCloud password to log in.
- If the password has changed, you'll be prompted to enter the Old Password and Current Password to complete the sync.
- The user is logged in to their account.
In this Article
Learn More