Can I set an institutional recovery key for Filevault2 after Filevault2 is enabled?

macos keychain filevault high-sierra

I have a macOS 10.13.4 device that is encrypting with Filevault2 right now. It needs to be taken by a user for travel at the end of the day.

I had meant to set an institutional recovery key for this device. The master keychain is already generated and in use on other devices. I've just read instructions for deploying the master keychain which indicate that I should have done this before I enabled Filevault2.

Does Filevault2 need to be disabled (decrypting the disk), then the master keychain deployed, then Filevault2 re-enabled (encrypting the disk)? This would take more time than is available to me, but I understand if that's the only option for deploying it.

Thank you.


Solution 1:

You will need to use fdesetup. If you have created FileVaultMaster.keychain with the institutional key and placed it in /Library/Keychains then fdesetup changerecovery -institutional -keychain will add an institutional key.

I recommend a close reading of the fdesetup man page.

Related

Tilting up magic keyboard for better ergonomics
Bad master directory block error (shutdown cause -60) and random restarts without other symptoms
Safari creates Zero bytes instead of actually downloading files
How do I create an encrypted APFS volume from the command-line?
Restore Terminal Tabs with Session History
Cannot ping localhost after migrating to new Mac
How do I create a permanent snapshot of a Time Machine backup
Serial number and sound unavailable after taking apart MacBook Air to clean it
Safari Reading List not syncing
Application opens twice when file specified
Should You Honor the Local Pronunciation [closed]
"To bury someone twice" [closed]