FileVault Recovery

You can help users recover FileVault-encrypted data if they cannot log in to their macOS.

You can help users recover their data or reset their password using a personal recovery key that is unique to the client computer. You can reset the password remotely.

If a user forgets the login password, the administrator can send a personal recovery key to the remote user, to allow them to log in.

The key is a string of letters and numbers separated by dashes.

  1. The user locates the serial number of the locked device.

    Step

    Description

    1

    Find the serial number of the locked device. It is usually printed on the back of the device.

    2

    		 Give the serial number to the support representative.

  2. The Administrator gives a recovery key to the user.

    Step

    Description

    1

    Get the serial number of the locked device from the user.

    2

    Go to Asset ManagementOrganization > Computers.

    3

    From the top toolbar, click and select Remote Help & Recovery > Recovery > FileVault Recovery.

    4

    In the Computer's Serial Number field, enter the serial number.

    5

    Click Get Recovery Key.

    6

    Give the recovery key to the user.

  3. User resets their password.

    Step

    Description

    1

    Get the Recovery Key from the support representative.

    2

    		 Restart the macOS.

    3

    In the FileVault pre-bootClosed Authentication before the Operating System loads. screen, click the ? button

    A message shows: If you forgot your password you can reset it using your Recovery Key.

    4

    Enter the recovery key and click the right arrow.

    A progress bar shows.

    5

    For Local Users:

    1. In the Reset Password window, the user enters a new password, and optionally, a password hint.

    2. Click Reset Password.

For more information, see sk138352.

A personal key is unique to the client macOS-based computer or device. The key is a string of letters and numbers separated by dashes.

To recover a user's FileVault-encrypted macOS using the personal key, the administrator reads the key to the user, and uses the key to decrypt and unlock the computer.

  • For a volume formatted as APFS on macOS Mojave 10.14 and higher

    1. Show the disk volumes on the macOS:

      diskutil apfs list

      The volume to recover is the OS Volume. It has a name similar to disk2s1.

    2. Unlock the volume:

      diskutil apfs unlockVolume <Disk Name> -passphrase <Personal Recovery Key>

    3. Get the list of apfs cryptousers:

      diskutil apfs listcryptousers <Disk Name>

      For example:

      diskutil apfs listcryptousers disk2s1

      For a local user, select the UUID of the user that has:

      Type: Local Open Directory User

    4. Decrypt the volume:

      diskutil apfs decryptVolume <diskname> -user <user UUID>

    5. Enter the password of the local user.

    6. Monitor the progress of the decryption:

      diskutil apfs list

  • For a volume formatted as CoreStorage on macOS 10.12 or higher

    1. Unlock the volume:

      diskutil cs unlockVolume <Logical Volume UUID> -passphrase <Personal Recovery Key>

    2. The user interface shows a prompt to allow access. Enter the keychain password.

      The volume is now unlocked.

    3. Start the decryption:

      diskutil cs decryptVolume <Logical Volume UUID>

    4. When prompted, enter the password for the local user.

    5. Monitor progress of the decryption:

      diskutil cs list

The user can now reboot the macOS normally. They do not see the FileVault pre-boot screen.