FileVault, available in macOS 10.3 and newer versions, encrypts your entire disk to safeguard your data and prevent unauthorized access on your Mac.
Once enabled, you’ll need a Password or Recovery Key to access your device, ensuring your data remains secure and inaccessible without proper authentication. FileVault also automatically encrypts all new files, providing continuous protection.
Enabling FileVault is a useful configuration to protect your data in case your Mac is lost or damaged.
Step 1 - Create certificate for FileVault Recovery Key encryption #
To encrypt the Recovery Key, an encryption certificate must be created and uploaded to Applivery.
On a macOS computer (10.8+), open Terminal and execute the command:
openssl req -x509 -nodes -newkey rsa:2048 -keyout private.pem -out public.der -days 365 -outform der
This will generate a public key in .der format.
After creating the certificate, go to the Applivery Dashboard and navigate to Device Management > Assets (1), then navigate to the Certificates (2) section and click on (3).
A modal view will appear, allowing you to upload the newly created certificate by clicking on the (4) button and loading it from your drive.
Step 2 - Configure policy #
Now, it’s time to begin configuring your FileVault policy.
Let’s get started!
Step 2.1 - Recovery Key Escrow #
While still in Device Management section, select Policies (5). Choose the policy where you want to integrate FileVault.
From the left-hand menu, navigate to the + Add configuration (6) option and then type FileVault into the search bar (7).
In this initial step, we will configure FileVault Recovery Key Escrow (8), as it works by encrypting the Personal Recovery Key with a known signing certificate (in our case, the one generated in the previous step).
In the Encrypt Cert Payload UUID field, you will need to load the certificate that you previously uploaded in the Certificates section.
Give a short description of where the recovery key is stored in the Location field, so users know where to find it.
In the Device Key field, input a string (help text) for users who may have forgotten their password. Site admins can use this key to locate the escrowed key for the specific computer. This key supersedes the RecordNumber key used in the previous escrow mechanism. If the key is absent, the device serial number is used instead.
Step 2.2 - Enable or disable FileVault on your Mac #
You have the option to let your end-users activate or deactivate FileVault on their work-assigned devices.
Once more, from the menu on the left-hand side, go to the + Add configuration (9) section, enter FileVault into the search bar (10), and select FileVault Options (11).
Check the Don’t Allow FDE Disable box to prevent end-users from disabling FileVault encryption on the device.
Check as well the Don’t Allow FDE Enable box to prevent enabling FileVault.
Step 2.3 - FileVault configuration #
Lastly, you will need to set up FileVault.
Navigate to the + Add configuration option, type FileVault into the search bar, and select FileVault.
You will need to enable FileVault on Mac devices and tick the Defer field, which delays enabling FileVault until the user logs out. Also, make sure to check Show Recovery Key to display it.
Step 3 - What happens at the device end #
After saving and updating the policy on the terminal, the user will need to log out.
Upon the next login, the FileVault activation forms will appear. Once completed, send an Update status command, and you will then have the encrypted key available on the device under the FDE Personal Recovery Key CMS field.
Once the policy is applied, users will not be able to modify the FileVault settings under System Preferences > Security & Privacy > FileVault. The settings as configured in the policy will be enforced.
Applying another FileVault policy to an already encrypted device has no effect.
Step 4 - Retrieving the Recovery Key #
recovery.b64 containing the content from the dashboard in Security Info > FDE Personal Recovery Key CMS:
cat recovery.b64 | base64 -D > recovery.dat
And then execute the following command to decrypt the key:
openssl cms -decrypt -in recovery.dat -inform DER -inkey filevault_privateKey.pem
The FileVault Recovery Key cannot be retrieved if the device was encrypted prior to enrollment or before a FileVault policy was applied to it.
