-
Notifications
You must be signed in to change notification settings - Fork 48
Rotating or Generating New Keys
Crypt can easily rotate or generate new recovery keys of already encrypted machines. To do so you need to first make sure that Crypt is properly installed, and make sure all three of the following are set to the following values. For more info on these keys, they are located on the Preferences page. All that is left to do is restart and log in. If you are experiencing issues, please check the authorized plugin logs for clues before asking for help.
<key>RemovePlist</key>
<false/>
<key>RotateUsedKey</key>
<true/>
<key>ValidateKey</key>
<true/>The above will only generate a new key during login if there is not already a key at the location set by the OutputPath preference.
As of version 3.1.0 you can now rotate/generate a new key during login by setting the GenerateNewKey Preference to a boolean of True, it will be set back to False after a successful rotation, NOTE: Using this method via a Profile will be ignored as you probably don't want to Rotate the key every time someone logs in or reboots.
$ sudo defaults write /Library/Preferences/com.grahamgilbert.crypt GenerateNewKey -bool TrueIf you're looking to bulk-generate new FileVault keys for your Mac fleet but don't use Crypt or Crypt server, you may want to check out Escrow Buddy which also offers this feature.