Can I set an institutional recovery key for Filevault2 after Filevault2 is enabled?

I have a macOS 10.13.4 device that is encrypting with Filevault2 right now. It needs to be taken by a user for travel at the end of the day.

I had meant to set an institutional recovery key for this device. The master keychain is already generated and in use on other devices. I've just read instructions for deploying the master keychain which indicate that I should have done this before I enabled Filevault2.

Does Filevault2 need to be disabled (decrypting the disk), then the master keychain deployed, then Filevault2 re-enabled (encrypting the disk)? This would take more time than is available to me, but I understand if that's the only option for deploying it.

Thank you.


Solution 1:

You will need to use fdesetup. If you have created FileVaultMaster.keychain with the institutional key and placed it in /Library/Keychains then fdesetup changerecovery -institutional -keychain will add an institutional key.

I recommend a close reading of the fdesetup man page.