Accessing your encrypted disk using updated institutional recovery key
Apple FileVault 2 supports an Institutional Recovery Key (IRK) certificate in addition to the Personal Recovery Key. Institutional Recovery Key is a single key that can be used to unlock any Mac computer in the company or a group. The
Symantec Endpoint Encryption Management Server
maintains a unique Personal Recovery Key for each client computer. However, administrators can also maintain an enterprise-wide key that your department can use to decrypt any computer when the administrators are in physical possession of that computer. Apple has an article on the creation and use of Institutional Recovery Keys. For more information, refer to the Apple user community and knowledge base. The Institutional Recovery Key is an optional key that
Symantec Endpoint Encryption for FileVault
can upload to the Management Server. The public key of the Institutional Recovery Key certificate is included in the Symantec Endpoint Encryption for FileVault
install-time policy. However, the help desk administrator maintains the private key of the Institutional Recovery Key certificate. When the help desk administrator cannot unlock a client computer using your Personal Recovery Key, then you can take the computer to administrator. The administrator unlocks the Mac computer using the private key of the Institutional Recovery Key. When you install the
Symantec Endpoint Encryption for FileVault
client installation package with Institutional Recovery Key included in the install-time policy, then the Institutional Recovery Key is included in the FileVault setup.Institutional Recovery Key rotation
When you install or upgrade to
Symantec Endpoint Encryption for FileVault
11.3.0
and if the administrator has included a new or updated Institutional Recovery Key in the install-time policy, then this updated institutional recovery key is used for recovery.- To access your encrypted disk using the updated institutional recovery key
- Install or upgrade to theSymantec Endpoint Encryption for FileVaultclient version11.3.0, which has the updated institutional recovery key.
- Enter your credentials in theUpdate Recovery Keyscreen.If the administrator does not include a new or updated Institutional Recovery Key in the install-time policy, then you are not prompted with theUpdate Recovery Keyscreen. Your encrypted disk is unlocked using the old Institutional Recovery Key.
- ClickSubmit.
- Restart the computer in recovery mode and unlock the disk with the updated Institutional Recovery Key.