You can make a difference in the Apple Support Community!
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
I was following this tutorial exactly to generate a FileVaultMaster key for encryption enrolled macOS devices in my company such that we can recover them if required.
https://support.apple.com/en-ca/HT202385#create
However, on the second step when trying to delete the private key it fails with this error:
An error occurred while deleting “FileVault Master Password Key.” UNIX[Operation not permitted]
iMac 27", macOS 10.14
I got a response back from Apple (after calling them) with a work around.
when you generate the keychain file you must place the file into your
<YOUR_USER_NAME>/Library/Keychains
folder.
You can access that folder by opening finder, clicking on the "Go" menu and holding down the option key on your mac keyboard. Then click on the "Library" menu item that appears.
Inside the "Library" folder you'll find the "Keychains" folder.
Drop your generated FileVault.keychain file into the "Keychains" folder and open it from there (using the Keychain Access app).
You should now be able to delete the private key on macOS Catalina without a permission issue.
They recommend testing this on a non-critical machine to see if the recovery key works before deploying to your whole company of course.
I got a response back from Apple (after calling them) with a work around.
when you generate the keychain file you must place the file into your
<YOUR_USER_NAME>/Library/Keychains
folder.
You can access that folder by opening finder, clicking on the "Go" menu and holding down the option key on your mac keyboard. Then click on the "Library" menu item that appears.
Inside the "Library" folder you'll find the "Keychains" folder.
Drop your generated FileVault.keychain file into the "Keychains" folder and open it from there (using the Keychain Access app).
You should now be able to delete the private key on macOS Catalina without a permission issue.
They recommend testing this on a non-critical machine to see if the recovery key works before deploying to your whole company of course.
Hello mac_nurse,
Thank you for reaching out to Apple Support Communities. I understand that you are getting an error message when trying to delete a private key. I'm happy to help you find some information.
Here is a resource that can assist you with troubleshooting:
Use safe mode to isolate issues with your Mac
If you are still having issues after reviewing the link, please let me know. Also, just to clarify, did you type the command into Terminal or cut and paste?
Have a great day!
I have the same issue. This process works on older MacOS versions, but Catalina does not allow deletion of the private key. That is beyond frustrating.
Can anyone from Apple's support chime in? This prevents me from doing my job. I need to get an institutional recovery key implemented company-wide.
Come on, Apple!
Okay, I was able to delete the key, @mac_nurse. It was a shot in the dark, but I wondered if it had to do with the System Integrity Protection. And it did. Not sure this applies to all keychains or just the ones named "FileVaultMaster"... Anyway, here is the procedure, for anyone who needs it.
Check whether System Integrity Protection is on:
csrutil status
If it is, you need to restart your machine in Recovery Mode (hold Command-R while rebooting)
Once in Recovery Mode, Open a Terminal and disable System Integrity Protection:
csrutil disable
reboot
After reboot, you should be able to delete the private key, as expected.
Once done, if desired, you can reenable System Integrity Protection by reverting the process from recovery mode:
csrutil enable
Hope this helps someone else.
I copied and pasted it from the article I mentioned.
Thanks, however this would not work in my case, as I already have a FileVaultMaster keychain under my own profile. I was able to do it as I mentioned in my post above ^^.
Cheers!
Deleting a private key from a FileVaultMaster.keychain results in an error