Loading...

Knowledge Center


How to regenerate/change the recovery key when FileVault is already enabled and the recovery key is invalid or not available
Technical Articles ID:   KB82481
Last Modified:  10/22/2018
Rated:


Environment

McAfee Management of Native Encryption (MNE) 3.0.x,  2.1.x, 2.0.x

Mac OS X Yosemite 10.10 and later
Mac OS X Mavericks 10.9.0 and later

For details of MNE supported environments, see KB79375.

Summary

With OS X Mavericks 10.9.x and later releases, Apple introduced a new feature that allows end users to change or regenerate the recovery key for FileVault on their system using their current password. A user can now regenerate a recovery key or change the existing recovery key to generate a new key by following the steps in the Solution section of this article. 

With the release of MNE 2.0.x, end users are able to import or escrow the recovery key to ePolicy Orchestrator (ePO) using the import key feature in the client user interface, available as Endpoint Protection for Mac.app under /Applications on OS X systems. 

In some cases, you might need to obtain a new recovery key for a FileVault encrypted system before escrowing it to ePO. For example:
  • If FileVault encryption has been enabled by a user prior to MNE being installed on the system and the user does not know the recovery key.
  • In cases where the existing recovery key has been changed or become invalid.
After regenerating the recovery key, the user can import the new recovery key into ePO using the MNE import key feature available on the OS X client.

MNE 2.1.0 and later
With the release of MNE 2.1.0, a new recovery key escrow process is available for Mavericks and Yosemite Operating Systems (OSs) that have been enabled with Mac OS X FileVault prior to MNE being installed. If the option Prompt user to create a new recovery key on already enabled systems is set in the FileVault Product Settings policy, users are prompted to enter their FileVault password. After a password is entered, the recovery key is automatically imported into the ePO database.

Solution

All MNE versions
To change or generate a new recovery key for FileVault on Mavericks/Yosemite:
  1. On the Mac client, open Terminal.app from the /Applications/Utilities folder.
  2. Run the following command:
     
    sudo fdesetup changerecovery -personal

    fdesetup will request a password for '/', or the recovery key. 
     
  3. Enter a password or recovery key to generate/change the recovery key for FileVault. If the command is successful, command output will look like the following: 

    sudo fdesetup changerecovery -personal
    Enter a password for '/', or the recovery key:
    New recovery key = 'AXFZ-RXPC-N4OP-5WPR-UUL8-GXH6'

    NOTE: The recovery key should be a valid recovery key to generate a new key. If your existing recovery key is invalid, you can generate the key using your password.
     
  4. Copy the new recovery key (Example: AXFZ-RXPC-N4OP-5WPR-UUL8-GXH6).
To import or escrow the new recovery key to ePO using MNE 2.0 and later:
  1. Copy or note the recovery key you received in the preceding steps.
  2. Open the McAfee Endpoint Protection for Mac.app application.
  3. Under Encryption, enter the FileVault recovery key in the Recovery Key input field.
  4. Click Apply to import the new recovery key for FileVault in ePO. MNE validates the recovery key before generating a new recovery key and escrowing it to ePO.

    NOTE: For security reasons, MNE 2.0 and later will change the FileVault key again and escrow the new recovery key to ePO.

Solution

MNE 2.1.0 and later
With this release a new MNE CLI (Command-Line Interface) has been added that enables the import of the recovery key to the ePO database
  1. On the Mac client, open Terminal.app from the /Applications/Utilities folder.
  2. Navigate to: /usr/local/mcafee/mne/bin/MNEMacTool
  3. Use either of  the following commands with sudo privileges:
- -import-key

-i

Example: 

sudo /usr/local/mcafee/mne/bin/MNEMacTool - -import-key AXFZ-RXPC-N4OP-5WPR-UUL8-GXH6

NOTE: After entering the command the following message is displayed:

The FileVault recovery key is imported to the McAfee ePO server successfully.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.