In my previous blog posts on FileVault, I talked about or showed how to use an institutional recovery key for FileVault encryption:
Enabling FileVault Encryption for Client Macs
Setting up deferred FileVault encryption
Using a FileVault institutional recovery key to unlock an encrypted disk
But in exploring FileVault further, I’ve found it’s much better to use personal recovery keys instead of a single institutional recovery key, and it’s not for the reason you might think.
IRK not necessarily less secure than PRK
Yes, from a security standpoint, you could make the case that an institutional recovery key creates a single breach point (someone obtains that one recovery key and thus can decrypt all your institution’s machines), but I don’t think this makes personal recovery keys more secure necessarily. First of all, the personal recovery key itself can unlock a machine, but the institutional recovery key is used in combination with a password to unlock the keychain. Secondly, most likely you’re storing your personal recovery keys all in one place—it may be a secure place, but it’s also a single breach point. If you somehow access that one storage location (database, spreadsheet, whatever you’re using to store the personal recovery keys), you have access to all the recovery keys for all the machines.
I suppose you could scatter the personal recovery keys in multiple storage locations. There is always an artistic (not scientific) balance between security and convenience, so that’s up to you how you decide to store things. The point, though, is that an IRK is not necessarily less secure than a PRK.
You could make the case that with something like Crypt2 you at least have an audit trail of when recovery keys were accessed, and you can generate new ones, so personal recovery keys do have one small distinct security advantage.
IRK is less useful than a PRK, though
As I was rolling out encryption to our fleet using an institutional recovery key, I started to realize through testing (fortunately not through an actual emergency) how limited in functionality the institutional recovery key is compared to the personal recovery key.
First of all, unless you are physically in front of the machine or using ARD to remote into a virtual session, you cannot enable another FileVault user without storing the password for it in plain text. If you try to do so via SSH and the command-line, you’ll be prompted for the password of an FV-enabled user or for the personal recovery key, so having the IRK doesn’t help there.
That’s not really the worst part. The worst part is that, as far as I can tell (based on Google searches, asking other Mac admins, and just trial and error), there is no way to reset a forgotten user password with just the institutional recovery key. You can unlock the encrypted volume and save the data, but you can’t just say “Reset this user’s password.” You can, as a horribly long workaround, decrypt the drive, log in as another admin user, reset the other user’s forgotten password, wait for the decryption to finish completely, and then re-encrypt. That can take a really long time.
But if you just use personal recovery keys, you can have the user try to log in three times, and she’ll be prompted to enter the recovery key to reset the forgotten password, and then be prompted to enter a new password. (You can also just hit the question mark next to the password field, which will take you there directly instead of having to fail a few times.)
Wesley Whetstone has created a neat little pkg that can generate/regenerate personal recovery keys: fde-rekey. Wesley Whetstone has since abandoned fde-rekey in favor of Crypt.
Once you’ve switched that over, you can also remove the institutional recovery key (yes, it’s possible to have both an IRK and a PRK). If you’re using Munki, I wrote a nopkg that will remove the IRK after fde-rekey is installed.
P.S. Another good reason not to use institutional recovery keys: Unlocking or decrypting using an institutional recovery key does not work with encrypted APFS boot drives on macOS High Sierra 10.13.0. It may work in 10.13.1, but that hasn’t been verified yet (as of this writing).
Leave a Reply