One of the functions added to the fdesetup tool on 10.9 is removerecovery. This function removes the current recovery key(s) from a FileVault 2-encrypted Mac and can be used to remove with the personal and/or institutional recovery keys from a Mac.
One interesting aspect of this is that this function can be used to remove all recovery keys from a FileVault 2-encrypted Mac running Mavericks. Once the recovery keys have been removed from your Mac, only FileVault 2-enabled accounts will be able to unlock or decrypt it. For more details, see below the jump.
Note: I do not advocate removing all recovery keys from your system. They’re designed as a fallback way to get into your machine in case of a problem.
To remove an existing personal recovery key, run the command below with root privileges:
fdesetup removerecovery -personal
You’ll be prompted for the password of an existing FileVault 2-enabled user or the existing personal recovery key. Once entered, the personal recovery key will be removed from the system.
To remove an existing institutional key, run the command below with root privileges:
fdesetup removerecovery -institutional
You’ll be prompted for the password of an existing FileVault 2-enabled user. You can also use an existing personal recovery key if applicable.
To double-check that the recovery keys have been removed, fdesetup has additional functions to tell you if a personal or institutional key is in use. To verify if the personal recovery key has been removed, run the command below with root privileges:
fdesetup haspersonalrecoverykey
If it returns false, the FileVault 2 encryption on this Mac does not currently have an associated personal recovery key.
To verify if the institutional recovery key has been removed, run the command below with root privileges:
fdesetup hasinstitutionalrecoverykey
If it returns false, the FileVault 2 encryption on this Mac does not currently have an associated institutional recovery key.
A FileVault 2-encrypted Mac without any associated recovery keys should return false to both commands.
Another way to verify that all recovery keys have been removed is to look in the FileVault preference pane in System Preferences. If a personal recovery key is being used on a FileVault 2-encrypted Mac (either by itself, or in combination with the institutional key), the FileVault preference pane should display the following message:
A recovery key has been set.
If an institutional key is being used as the sole recovery key, the FileVault preference pane should display the following message:
A recovery key has been set by your company, school or institution.
If all recovery keys have been removed from the encrypted Mac, there should be no message displayed in the FileVault preference pane.
