As part of Apple’s FileVault 2 encryption, Apple has provided for the use of recovery keys. These keys are a backup method to unlock FileVault 2’s encryption in the event that the usual method of logging using a user’s account password is not available.
There are two main types of recovery keys available:
1. Personal recovery keys (PRK) – These are recovery keys that are automatically generated at the time of encryption. These keys are generated as an alphanumeric string and are unique to the machine being encrypted. In the event that an encrypted Mac is decrypted and then re-encrypted, the existing personal recovery key would be invalidated and a new personal recovery key would be created as part of the encryption process.
2. Institutional recovery keys (IRK) – These are pre-made recovery keys that can be installed on a system prior to encryption and most often used by a company, school or institution to have one common recovery key that can unlock their managed encrypted systems.
This recovery key model has continued to be used on Apple File System (APFS), starting with macOS High Sierra 10.13.0, with one important difference:
- You can encrypt an APFS boot drive using an IRK.
- You cannot unlock or decrypt an encrypted APFS boot drive using an IRK.
For more details, see below the jump.
The issue appears to be that a necessary function has not been added to the diskutil command line tool. For FileVault 2 on macOS Sierra and earlier, the command to unlock using an IRK is shown below:
diskutil cs unlockVolume -recoverykeychain /path/to/filename_goes_here.keychain
This command uses diskutil‘s CoreStorage functions, which do not apply to Apple File System. Meanwhile, there is not an equivalent command available for diskutil’s Apple File System’s functions. If there was, it should look something like this:
diskutil apfs unlockVolume -recoverykeychain /path/to/filename_goes_here.keychain
An encrypted volume must be unlocked before it can be decrypted, so without the ability to unlock using an IRK, you cannot decrypt using an IRK.
I’ve opened a ticket with Apple Enterprise support for this issue; hopefully a fix is available in a future OS update.
