Skip to main content

FileVault recovery key and self-service enrollment

When deploying Bravas on an existing IT fleet, some devices might already be encrypted. In that situation, Bravas will not be able to collect the description key needed to access the device if the end user forget the passcode.

When a device is not encrypted, Bravas will force the encryption and collect the key at that time. When the device is already encrypted, the decryption key can be collected only when recycling it.

To trigger a decryption key renewal on a Mac managed by Bravas, open the Terminal application from an account with administrative rights on the endpoint and enter the following command line:

sudo fdesetup changerecovery -personal

Which will ask for:

  • your current admin password (when you type it, you will not have any visual feedback)
  • your local admin username
  • your local admin password again

This will present to you the new recovery key that you can store in a secure vault if you want, and that will automatically be stored in Bravas at the next inventory.

If you store it elsewhere than Bravas, please pay attention to store it securely, this recovery key can decrypt your devices and reset local passcode. In a normal situation, it is not needed to store it outside Bravas.