Knowledge Center

How to regenerate the recovery key, when FileVault is already enabled and the recovery key is invalid or not available
Technical Articles ID:   KB82481
Last Modified:  7/9/2019


McAfee Management of Native Encryption (MNE) - all supported versions

Mac OS X Yosemite 10.10 and later
Mac OS X Mavericks 10.9.0 and later

For details of MNE supported environments, see KB79375.


OS X Mavericks 10.9.x and later releases:
  • Apple introduced a new feature that allows users to change or regenerate the recovery key for FileVault on their system using their current password.
  • A user can now regenerate a recovery key or change the existing recovery key to generate a new key. 

With MNE, users can import or escrow the recovery key to ePolicy Orchestrator (ePO) using the import key feature in the client user interface. The feature is available as Endpoint Protection for Mac.app under /Applications on OS X systems. 

Sometimes, you might need to obtain a new recovery key for a FileVault encrypted system before escrowing it to ePO. For example:
  • The user has enabled FileVault encryption before MNE is installed and the user does not know the recovery key.
  • In cases where the existing recovery key has been changed or become invalid.
After regenerating the recovery key, the user can import the new recovery key into ePO using the MNE import key feature available on the OS X client.

MNE 2.1.0 and later
  • A new recovery key escrow process is available for Mavericks and Yosemite Operating Systems. This feature applies when the Mac OS X FileVault has been enabled before MNE being installed.
  • Users will see the following after the enabling in the FileVault Product Settings policy the option 'Prompt user to create a new recovery key on already enabled systems': 
    • Users are prompted to enter their FileVault password.
    • After the password is entered, the recovery key is automatically imported into the ePO database.


All MNE versions
To change or generate a new recovery key for FileVault on Mavericks/Yosemite:
  1. On the Mac client, open Terminal.app from the /Applications/Utilities folder.
  2. Run the following command:
    sudo fdesetup changerecovery -personal

    fdesetup requests a password for '/', or the recovery key. 
  3. To generate or change the recovery key for FileVault, enter a password or recovery key. If the command is successful, command output looks like the following: 

    sudo fdesetup changerecovery -personal
    Enter a password for '/', or the recovery key:
    New recovery key = 'AXFZ-RXPC-N4OP-5WPR-UUL8-GXH6'

    NOTE: The recovery key must be a valid recovery key to generate a new key. If your existing recovery key is invalid, you can generate the key using your password.
  4. Copy the new recovery key (Example: AXFZ-RXPC-N4OP-5WPR-UUL8-GXH6).
To import or escrow the new recovery key to ePO using MNE 2.0 and later:
  1. Copy the recovery key you received in the preceding steps.
  2. Open the McAfee Endpoint Protection for Mac.app application.
  3. Under Encryption, enter the FileVault recovery key in the Recovery Key input field.
  4. Click Apply to import the new recovery key for FileVault in ePO. MNE validates the recovery key before generating a new recovery key and escrowing it to ePO.

    NOTE: For security reasons, MNE changes the FileVault key again and escrow the new recovery key to ePO.


MNE 2.1.0 and later
With this release, a new MNE CLI (Command-Line Interface) has been added that enables the import of the recovery key to the ePO database
  1. On the Mac client, open Terminal.app from the /Applications/Utilities folder.
  2. Navigate to: /usr/local/mcafee/mne/bin/MNEMacTool
  3. Use either of the following commands with sudo rights:
- -import-key


sudo /usr/local/mcafee/mne/bin/MNEMacTool - -import-key AXFZ-RXPC-N4OP-5WPR-UUL8-GXH6

NOTE: The following message is displayed after entering the above command:

The FileVault recovery key is imported to the McAfee ePO server successfully.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.