fde-rekey

fde-rekey is a simple macOS package, designed to generate a new FileVault2 personal recovery key without any user interaction. It is designed to work on macOS 10.9 - 10.12.6.

Warning

fde-rekey will not work on an APFS file-system. There are no plans to support APFS at this time. The latest version of Crypt has a similar feature you may find useful.

Usage

Download the latest macOS package from the releases tab and import it into your favorite macOS package deployer. There is no need to repackage. Then deploy as you would any other package. Thats it!

Crypt2

If you have a ServerURL Key defined in the com.grahamgilbert.crypt Preference domain, fde-rekey will convert the new key to support Crypt2. On the next run of Crypt following the use of fde-rekey the key will be escrowed.

FileVault RedirectURL (Beta)

fde-rekey will check for the existence of a set FileVault RedirectURL configuration key. If found it will allow FileVault to perform the escrow. This feature has only been lightly tested as this is not our escrow method. Please test this feature thoroughly before deploying.

Other

If you do not use Crypt2 or a FileVault RedirectURL, fde-rekey will place the new key at /var/root/fderekey.plist as root read only.

Building from Source

fde-rekey is built using munkipkg, you'll need this tool to build from source. Once you have munkipkg installed, clone this repo then run munkipkg /path/to/fde-rekey-repo. You should then find a new package in the fde-rekey build directory.

Help

If you need help with fde-rekey please join either #filevault or #crypt in the MacAdmins Slack team.

License

fde-rekey is under the Apache 2.0 license. See LICENSE for details.

Contributing

Please see CONTRIBUTING for details.

Credit

A special thank you to contributors of the macdestroyer project as well as Graham Gilbert and Owen Pragel for help with FileVault ReDirection. Without them fde-rekey would not be possible!