Apple Intelligence is now available on iPhone, iPad, and Mac!

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Filevault: "A recovery key has been set by your company, school, or institution."

On my 13" Macbook Pro I've always received the above message.


I used Migration Assistant to move the data from the 6 year old 13" MBP to a brand new 14" M1 MBP and get the same message:


But. this computer has never been near work or out of my hands!!!


Not a huge deal since hopefully I'll always remember my password, but I'm very curious why this message appears.


Does anyone have an idea???


Many thanks!

MacBook Pro 13″, macOS 12.0

Posted on Dec 18, 2021 7:43 AM

Reply
Question marked as Top-ranking reply

Posted on Jan 28, 2022 2:19 PM

A solution!


First, please remember that I have no real computer knowledge, so caveat emptor; please backup, backup, and backup before trying stuff!


  1. Disable/remove FileVault protection on your hard drive.
  2. Go into /Library/Keychains (not user's ~/Library/Keychains, and not /System/Library/Keychains)
  3. Trash the files FileVaultMaster.cer and FileVaultMaster.keychain
  4. Restart the computer and log in
  5. Enable FileVault


Voila- this gave me a real recovery key (not institutional); hurrah!!!


Similar questions

7 replies
Question marked as Top-ranking reply

Jan 28, 2022 2:19 PM in response to CharPatton1

A solution!


First, please remember that I have no real computer knowledge, so caveat emptor; please backup, backup, and backup before trying stuff!


  1. Disable/remove FileVault protection on your hard drive.
  2. Go into /Library/Keychains (not user's ~/Library/Keychains, and not /System/Library/Keychains)
  3. Trash the files FileVaultMaster.cer and FileVaultMaster.keychain
  4. Restart the computer and log in
  5. Enable FileVault


Voila- this gave me a real recovery key (not institutional); hurrah!!!


Dec 26, 2021 3:47 PM in response to PRP_53

Does anyone know how to escalate to an Apple Engineer? Basically, I bought a brand new M1 and am now stuck, after almost 40 hours of troubleshooting that didn't work, with a brand new MBP where one has to log into one account, then switch to the main account, to get any work done :( :( :(


Can I somehow get normal behaviour where FileVault is enabled but I can log directly into my main user account?


If it helps, here are the results of today's efforts. Apologies if some of this seems nonsensical, but I'm not a computer guy, just someone who uses a computer to get non-computer work done, so tried all sorts of stuff I found online.


Presumably the new computer was "polluted" by the old computer during the migration. The old computer was bought straight from Apple by mail. So the only 3 possibilities I can think of for an enabled institutional key are:

1) Nefarious actor in Apple supply chain who did this at the factory.

2) Nefarious actor who broke into a hotel room while I was out of the room on a business trip and figured how to install an institutional recovery key (unlikely since I am a very low value target!)

3) Bug where during a system crash or whatever at some point in the 6 years I had the old computer something "glitched" and set an institutional recovery key by some random pathway.


I was very excited by finding this command in fdesetup. It seemed to work. But when I turned FileVault back on the same problem reoccurred:


NewMBPM1:~ Long-T01_UID$ sudo fdesetup hasinstitutionalrecoverykey

true


NewMBPM1:~ Long-T01_UID$ sudo fdesetup removerecovery -institutional

Password:

Enter the user name:S01_UID

Enter the password for user 'S01_UID':


NewMBPM1:~ Long-T01_UID$ sudo fdesetup hasinstitutionalrecoverykey

false


Any and all ideas most welcome!!!


***


Filevault: "A recovery key has been set by your company, school, or institution."

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.