fde-rekey is a simple macOS package, designed to generate a new FileVault2 personal recovery key without any user interaction. It is designed to work on macOS 10.9 - 10.12.6.
fde-rekey will not work on an APFS file-system. There are no plans to support APFS at this time. The latest version of Crypt has a similar feature you may find useful.
Download the latest macOS package from the releases tab and import it into your favorite macOS package deployer. There is no need to repackage. Then deploy as you would any other package. Thats it!
If you have a
ServerURL Key defined in the
com.grahamgilbert.crypt Preference domain, fde-rekey will convert the new key to support Crypt2. On the next run of Crypt following the use of fde-rekey the key will be escrowed.
FileVault RedirectURL (Beta)
fde-rekey will check for the existence of a set FileVault
RedirectURL configuration key. If found it will allow FileVault to perform the escrow. This feature has only been lightly tested as this is not our escrow method. Please test this feature thoroughly before deploying.
If you do not use Crypt2 or a FileVault RedirectURL, fde-rekey will place the new key at
/var/root/fderekey.plist as root read only.
Building from Source
fde-rekey is built using munkipkg, you'll need this tool to build from source. Once you have munkipkg installed, clone this repo then run
munkipkg /path/to/fde-rekey-repo. You should then find a new package in the fde-rekey build directory.
If you need help with fde-rekey please join either #filevault or #crypt in the MacAdmins Slack team.
fde-rekey is under the Apache 2.0 license. See LICENSE for details.
Please see CONTRIBUTING for details.