Create FileVault master keychain

The procedure described in this section is required only if you are using one institutional key for multiple Mac computers. If you are using computer-specific (“personal”) keys, go to Assign an Active Directory user who is authorized to manage an encrypted disk.

On the Mac computer, you create a FileVault master keychain, which contains a private key that can be used to unlock the encrypted drive on the computer.

You can create the master keychain through the Mac user interface, or by executing commands in the Terminal application. Instructions are provided for each procedure.

Note:   If the computer already has a FileVault master keychain, you can skip this procedure and go to Export certificate from FileVault master keychain and upload it to a domain server.

To create a master keychain through the user interface

  1. On a computer running OS X 10.9 or above, log on with an administrator’s account and open System Preferences, then double-click Users & Groups.
  2. If necessary, click the lock icon and enter credentials to authenticate.
  3. Select an administrator’s account, then click the service icon () and select Set Master Password from the pop-up menu.

  4. Create a master password by typing it in Master password and re-typing in Verify.

  5. Click OK to save the master password.

Setting a master password creates a keychain file in the following location:

/Library/Keychains/FileVaultMaster.keychain

This file contains the private key required to unlock the encrypted disc and is the only recovery method you will have for encrypted disc recovery. Store FileVaultMaster.keychain in a safe location, such as an external drive or an encrypted disk image on another physical disk.

To create a master keychain by executing commands in the Terminal application

  1. On a Mac computer, open the Terminal application.
  2. Run the following command:
    sudo  security create-filevaultmaster-keychain
  3. Enter the password for the root account when prompted as follows:

    To proceed, enter your password or type Ctrl-C to abort
  4. Enter the master password to create when prompted to do so:

    password for new keychain
  5. Retype the new master password when prompted to do so:

    retype password for new keychain

    You will see a message that the new password is being created:

    Generating a 2048 bit key pair; ...

Setting a master password creates a keychain file in the following location:

/Library/Keychains/FileVaultMaster.keychain

This file contains the private key required to unlock the encrypted disc and is the only recovery method you will have for encrypted disc recovery. Store FileVaultMaster.keychain in a safe location, such as an external drive or an encrypted disk image on another physical disk.