Skip to main content

Create an Institutional Recovery Key for FileVault encryption


This recipe will go over the steps for creating an Institutional Recovery key for use with FileVault Encryption with FileWave. The goal at the end will be to have a completed Fileset that you will be able to use and deploy to your macOS clients. 


  • FW Central
  • macOS machine to create the Institutional Recovery Key
  • macOS Test Machine


1) Open Terminal on your macOS machine

2) To make the rest of the steps a little easier enter the below command followed by your admin password in terminal to give root access for the rest of the commands

sudo -s

3) The next step that you need to do is to create the keychain file with the below command. You can create the file where ever you would like. I will create it in "/usr/local/etc"

security create-filevaultmaster-keychain /usr/local/etc/FileVaultMaster.keychain

4) This is where you can make a copy of the "FileVaultMaster.keychain" to back it up. We will move a copy to "/Library/Keychains/" that we will use for the rest of the steps. 

cp /usr/local/etc/FileVaultMaster.keychain /Library/Keychains/FileVaultMaster.keychain

5) Then we will want to remove the certificate from the keychain file. To do this we need to first unlock the certificate which can be done with the below commands. 

security unlock-keychain /Library/Keychains/FileVaultMaster.keychain

6) Next step we will need to open the file in Keychain access. You can either double click on the Keychain file in /Library/Keychains or Open "Keychain Access" on your Mac. 

7) After this you will need to find the keychain file in Keychain access and inspect the contents. You will see the "FileVault Master Password Key" and the "FileVault Recovery Key (ComputerName)"


8) That you are looking for is the "FileVault Recovery Key (ComputerName)" You will want to export this file by selecting the "FileVault Recovery Key" → "File" → "Export Items" from the top menu. Save the file to any location on your machine that is easy to find. 

9) We will then need to create the FileVault profile that you are able to deploy to your devices. 

10) Open the FileWave Admin and go the Filesets tab → New Desktop Fileset → Profile

11) Configure the General payload of the Profile. For the Example I will use "FileVault Profile" as the name.

12) Then look for the Certificates payload on the left and select it. It should be the third one from the top. Press Configure. This is where you would need to select the key we exported in step 8. 

13) Once that is uploaded we will then need to configure the "Security & Privacy" payload. 

14) With the payload open you will select the "FileVault (MacOS only)" tab and check the box for "Require FileVault"

15) This is where you would then select "Use an Institutional recovery key" or "Use an institutional recovery key and create a personal FileVault recovery key"

16) Next you will then select the certificate you previously upload to the profile and select "Save" to close the profile. 

17) You are now done and ready to associate the profile to your test device