Skip to content
fde-rekey is a tool used to rotate/generate a macOS filevault2 personal recovery key without user interaction.
Python Objective-C
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


fde-rekey is a simple macOS package, designed to generate a new FileVault2 personal recovery key without any user interaction. It is designed to work on macOS 10.9 - 10.12.6.


fde-rekey will not work on an APFS file-system. There are no plans to support APFS at this time. The latest version of Crypt has a similar feature you may find useful.


Download the latest macOS package from the releases tab and import it into your favorite macOS package deployer. There is no need to repackage. Then deploy as you would any other package. Thats it!


If you have a ServerURL Key defined in the com.grahamgilbert.crypt Preference domain, fde-rekey will convert the new key to support Crypt2. On the next run of Crypt following the use of fde-rekey the key will be escrowed.

FileVault RedirectURL (Beta)

fde-rekey will check for the existence of a set FileVault RedirectURL configuration key. If found it will allow FileVault to perform the escrow. This feature has only been lightly tested as this is not our escrow method. Please test this feature thoroughly before deploying.


If you do not use Crypt2 or a FileVault RedirectURL, fde-rekey will place the new key at /var/root/fderekey.plist as root read only.

Building from Source

fde-rekey is built using munkipkg, you'll need this tool to build from source. Once you have munkipkg installed, clone this repo then run munkipkg /path/to/fde-rekey-repo. You should then find a new package in the fde-rekey build directory.


If you need help with fde-rekey please join either #filevault or #crypt in the MacAdmins Slack team.


fde-rekey is under the Apache 2.0 license. See LICENSE for details.


Please see CONTRIBUTING for details.


A special thank you to contributors of the macdestroyer project as well as Graham Gilbert and Owen Pragel for help with FileVault ReDirection. Without them fde-rekey would not be possible!

You can’t perform that action at this time.