Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: terry.hughes
terry.hughes Author
User level: Level 1
5 points

How to use the HD recovery key

How to use the HD recovery key



iMac 27", macOS 10.13

Posted on May 23, 2020 5:07 PM

Reply
Question marked as Best reply
User profile for user: BDAqua
BDAqua
User level: Level 10
239,777 points

Posted on May 23, 2020 5:17 PM

Use the private key to unlock a user's startup disk

If a user forgot their account password and can't log in to their Mac, you can use the private recovery key to unlock their startup disk and access its FileVault-encrypted data.

  1. On the client Mac, start up from macOS Recovery by holding Command-R during startup.
  2. If you don't know the name (such as Macintosh HD) and format of the startup disk, open Disk Utility from the macOS Utilities window, then check the information Disk Utility shows for that volume on the right. If you see ”CoreStorage Logical Volume Group” instead of ”APFS Volume” or ”Mac OS Extended,” the format is Mac OS Extended. You will need this information in a later step. Quit Disk Utility when done.
  3. Connect the external drive that contains the private recovery key.
  4. From the menu bar in macOS Recovery, choose Utilities > Terminal.
  5. If you stored the private recovery key in an encrypted disk image, use the following command in Terminal to mount that image. Replace /path with the path to the disk image, including the .dmg filename extension:
hdiutil attach /path
  1. Example for a disk image named PrivateKey.dmg on a volume named ThumbDrive:
  2. hdiutil attach /Volumes/ThumbDrive/PrivateKey.dmg
  3. Use the following command to unlock the FileVault master keychain. Replace /path with the path to FileVaultMaster.keychain on the external drive. In this step and all remaining steps, if the keychain is stored in an encrypted disk image, remember to include the name of that image in the path.
security unlock-keychain /path
  1. Example for a volume named ThumbDrive:
  2. security unlock-keychain /Volumes/ThumbDrive/FileVaultMaster.keychain
  3. Enter the master password to unlock the startup disk. If the password is accepted, the command prompt returns.

Continue as described below, based on how the user's startup disk is formatted.

APFS

 If the startup disk is formatted for APFS, complete these additional steps:

  1. Enter the following command to unlock the encrypted startup disk. Replace "name" with the name of the startup volume, and replace /path with the path to FileVaultMaster.keychain on the external drive or disk image:
diskutil ap unlockVolume "name" -recoveryKeychain /path
  1. Example for a startup volume named Macintosh HD and a recovery-key volume named ThumbDrive:
  2. diskutil ap unlockVolume "Macintosh HD" -recoveryKeychain /Volumes/ThumbDrive/FileVaultMaster.keychain
  3. Enter the master password to unlock the keychain and mount the startup disk.
  4. Use command-line tools such as ditto to back up the data on the disk, or quit Terminal and use Disk Utility.

Mac OS Extended (HFS Plus)

If the startup disk is formatted for Mac OS Extended, complete these additional steps:

  1. Enter this command to get a list of drives and CoreStorage volumes:
diskutil cs list
  1. Select the UUID that appears after “Logical Volume,” then copy it for use in a later step.
  2. Example: +-> Logical Volume 2F227AED-1398-42F8-804D-882199ABA66B
  3. Use the following command to unlock the encrypted startup disk. Replace UUID with the UUID you copied in the previous step, and replace /path with the path to FileVaultMaster.keychain on the external drive or disk image:
diskutil cs unlockVolume UUID -recoveryKeychain /path
  1. Example for a recovery-key volume named ThumbDrive:
  2. diskutil cs unlockVolume 2F227AED-1398-42F8-804D-882199ABA66B -recoveryKeychain /Volumes/ThumbDrive/FileVaultMaster.keychain
  3. Enter the master password to unlock the keychain and mount the startup disk.
  4. Use command-line tools such as ditto to back up the data on the disk. Or quit Terminal and use Disk Utility. Or use the following command to decrypt the unlocked disk and start up from it. 
diskutil cs decryptVolume UUID -recoveryKeychain /path
  1. Example for a recovery-key volume named ThumbDrive:
  2. diskutil cs decryptVolume 2F227AED-1398-42F8-804D-882199ABA66B -recoveryKeychain /Volumes/ThumbDrive/FileVaultMaster.keychain


View in context

Similar questions

2 replies
Question marked as Best reply
User profile for user: BDAqua
BDAqua
User level: Level 10
239,777 points

May 23, 2020 5:17 PM in response to terry.hughes

Use the private key to unlock a user's startup disk

If a user forgot their account password and can't log in to their Mac, you can use the private recovery key to unlock their startup disk and access its FileVault-encrypted data.

  1. On the client Mac, start up from macOS Recovery by holding Command-R during startup.
  2. If you don't know the name (such as Macintosh HD) and format of the startup disk, open Disk Utility from the macOS Utilities window, then check the information Disk Utility shows for that volume on the right. If you see ”CoreStorage Logical Volume Group” instead of ”APFS Volume” or ”Mac OS Extended,” the format is Mac OS Extended. You will need this information in a later step. Quit Disk Utility when done.
  3. Connect the external drive that contains the private recovery key.
  4. From the menu bar in macOS Recovery, choose Utilities > Terminal.
  5. If you stored the private recovery key in an encrypted disk image, use the following command in Terminal to mount that image. Replace /path with the path to the disk image, including the .dmg filename extension:
hdiutil attach /path
  1. Example for a disk image named PrivateKey.dmg on a volume named ThumbDrive:
  2. hdiutil attach /Volumes/ThumbDrive/PrivateKey.dmg
  3. Use the following command to unlock the FileVault master keychain. Replace /path with the path to FileVaultMaster.keychain on the external drive. In this step and all remaining steps, if the keychain is stored in an encrypted disk image, remember to include the name of that image in the path.
security unlock-keychain /path
  1. Example for a volume named ThumbDrive:
  2. security unlock-keychain /Volumes/ThumbDrive/FileVaultMaster.keychain
  3. Enter the master password to unlock the startup disk. If the password is accepted, the command prompt returns.

Continue as described below, based on how the user's startup disk is formatted.

APFS

 If the startup disk is formatted for APFS, complete these additional steps:

  1. Enter the following command to unlock the encrypted startup disk. Replace "name" with the name of the startup volume, and replace /path with the path to FileVaultMaster.keychain on the external drive or disk image:
diskutil ap unlockVolume "name" -recoveryKeychain /path
  1. Example for a startup volume named Macintosh HD and a recovery-key volume named ThumbDrive:
  2. diskutil ap unlockVolume "Macintosh HD" -recoveryKeychain /Volumes/ThumbDrive/FileVaultMaster.keychain
  3. Enter the master password to unlock the keychain and mount the startup disk.
  4. Use command-line tools such as ditto to back up the data on the disk, or quit Terminal and use Disk Utility.

Mac OS Extended (HFS Plus)

If the startup disk is formatted for Mac OS Extended, complete these additional steps:

  1. Enter this command to get a list of drives and CoreStorage volumes:
diskutil cs list
  1. Select the UUID that appears after “Logical Volume,” then copy it for use in a later step.
  2. Example: +-> Logical Volume 2F227AED-1398-42F8-804D-882199ABA66B
  3. Use the following command to unlock the encrypted startup disk. Replace UUID with the UUID you copied in the previous step, and replace /path with the path to FileVaultMaster.keychain on the external drive or disk image:
diskutil cs unlockVolume UUID -recoveryKeychain /path
  1. Example for a recovery-key volume named ThumbDrive:
  2. diskutil cs unlockVolume 2F227AED-1398-42F8-804D-882199ABA66B -recoveryKeychain /Volumes/ThumbDrive/FileVaultMaster.keychain
  3. Enter the master password to unlock the keychain and mount the startup disk.
  4. Use command-line tools such as ditto to back up the data on the disk. Or quit Terminal and use Disk Utility. Or use the following command to decrypt the unlocked disk and start up from it. 
diskutil cs decryptVolume UUID -recoveryKeychain /path
  1. Example for a recovery-key volume named ThumbDrive:
  2. diskutil cs decryptVolume 2F227AED-1398-42F8-804D-882199ABA66B -recoveryKeychain /Volumes/ThumbDrive/FileVaultMaster.keychain


Reply

How to use the HD recovery key

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up