Home > fdesetup, FileVault 2, Mac administration, macOS > Turning on FileVault using the fde 2026-5-7 21:27:59 Author: derflounder.wordpress.com(查看原文) 阅读量:36 收藏
Home > fdesetup, FileVault 2, Mac administration, macOS > Turning on FileVault using the fdesetup command line tool may not include displaying the personal recovery key on macOS Tahoe
Turning on FileVault using the fdesetup command line tool may not include displaying the personal recovery key on macOS Tahoe
I recently did some FileVault testing using the fdesetup command line tool on macOS Tahoe and noticed something was missing when I did so. On prior versions of macOS, when you ran the fdesetup enable command, it would prompt you for the username and password of the user account you wanted to enable for FileVault and then it would show you the personal recovery key which was created as part of turning on FileVault. Here’s how this process appears on macOS Sequoia:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| username@Z7M1XGLX3L ~ % sudo fdesetup enable | |
| Password: | |
| Enter the user name:username | |
| Enter the password for user 'username': | |
| Recovery key = 'YBC9-AQEF-WPME-WWRW-VHXO-WB3Y' | |
| username@Z7M1XGLX3L ~ % |
One thing that’s very important to know is that the personal recovery key information is not saved anywhere. You will need to make a record of it when it’s displayed or you will not have it later.
On macOS Tahoe, this recovery key information is not displayed when the same command is run:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| username@Z44QF45X37 ~ % sudo fdesetup enable | |
| Password: | |
| Enter the user name:username | |
| Enter the password for user 'username': | |
| username@Z44QF45X37 ~ % |
However, the recovery key is created. This can be verified by running the following command and verifying that there is an entry for Personal Recovery User:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diskutil apfs listcryptoUsers / |
Here’s what the Terminal output looks like when you turn on FileVault using the fdesetup command line tool and then use the diskutil command line tool to check and see if there is a Personal Recovery User entry:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| username@Z44QF45X37 ~ % sudo fdesetup enable | |
| Password: | |
| Enter the user name:username | |
| Enter the password for user 'username': | |
| username@Z44QF45X37 ~ % diskutil apfs listcryptoUsers / | |
| Cryptographic users for disk3s1s1 (3 found) | |
| | | |
| +– DA145BD0-81C7-41AA-9676-794E0A14B63D | |
| | Type: Local Open Directory User | |
| | Volume Owner: Yes | |
| | | |
| +– 2457711A-523C-4604-B75A-F48A571D5036 | |
| | Type: MDM Bootstrap Token External Key | |
| | Volume Owner: Yes | |
| | | |
| +– EBC6C064-0000-11AA-AA11-00306543ECAC | |
| Type: Personal Recovery User | |
| Volume Owner: Yes | |
| username@Z44QF45X37 ~ % |
How to fix this? Fortunately, the fdesetup command line tool includes an option to output relevant information to plist format as part of turning on FileVault using the fdesetup command line tool’s enable option. This information includes the personal recovery key. For more details, please see below the jump.
For example, running the following command will turn on FileVault using the fdesetup command line tool and write a plist file which includes the recovery key to standard output:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| fdesetup enable -outputplist |
Here’s what the Terminal output looks like when you turn on FileVault using the fdesetup command line tool and include the option of exporting to plist format:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| username@Z44QF45X37 ~ % sudo fdesetup enable -outputplist | |
| Password: | |
| Enter the user name:username | |
| Enter the password for user 'username': | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>EnabledDate</key> | |
| <string>2026-05-07 17:06:50 -0400</string> | |
| <key>EnabledUser</key> | |
| <string>username</string> | |
| <key>HardwareUUID</key> | |
| <string>A30EEDA9-CA8C-5F89-B6B0-E4D2C0201D6F</string> | |
| <key>RecoveryKey</key> | |
| <string>6NT6-TLMX-5UB9-9VAL-AMLA-EAE2</string> | |
| <key>SerialNumber</key> | |
| <string>Z44QF45X37</string> | |
| </dict> | |
| </plist> | |
| username@Z44QF45X37 ~ % |
The plist output includes the following lines for the recovery key:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <key>RecoveryKey</key> | |
| <string>6NT6-TLMX-5UB9-9VAL-AMLA-EAE2</string> |
In order to save the recovery key and other information stored in the plist to a file, you can run the following command:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| fdesetup enable -outputplist > /path/to/filename_goes_here.plist |
Here’s what the Terminal output looks like when you turn on FileVault using the fdesetup command line tool and include the option of exporting to a file named recoverykey.plist which is stored in the /Users/Shared directory:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| username@Z44QF45X37 ~ % sudo fdesetup enable -outputplist > /Users/Shared/recoverykey.plist | |
| Password: | |
| Enter the user name:username | |
| Enter the password for user 'username': | |
| username@Z44QF45X37 ~ % |
The recovery key information will not be shown in standard output, but the recovery key will be included in the contents of the /Users/Shared/recoverykey.plist file:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>EnabledDate</key> | |
| <string>2026-05-07 17:13:13 -0400</string> | |
| <key>EnabledUser</key> | |
| <string>username</string> | |
| <key>HardwareUUID</key> | |
| <string>A30EEDA9-CA8C-5F89-B6B0-E4D2C0201D6F</string> | |
| <key>RecoveryKey</key> | |
| <string>YR4D-R6RV-YJNC-AABZ-8XH5-PDEF</string> | |
| <key>SerialNumber</key> | |
| <string>Z44QF45X37</string> | |
| </dict> | |
| </plist> |
如有侵权请联系:admin#unsafe.sh