Testing your FileVault recovery key

22 February 2015, 02:18

When you enable FileVault (which I strongly recommend), you’ll have the choice of either uploading a recovery key to iCloud, or avoiding putting the key online and writing it down somewhere for future reference. The latter seems most secure to me and I store the key in a password manager. The recovery key is like a master key that will unlock the disk if you forget your password. Without either your password or recovery key, it will be impossible to decrypt the disk contents.

Gazing at the key yesterday I realised that something had gone wrong. It didn’t look right. Characters appeared to be missing.

I was able to test the recovery key by opening a Terminal window and typing the following:

sudo fdesetup validaterecovery

After this you must type your login password (NOT the recovery key), and then input the key when prompted. If it’s correct you’ll see “true”. If it’s incorrect you’ll be told, and asked to enter it again in case you mistyped the first time around. To quit out of being asked, tap Ctrl+C.

So what do you do if, like me, you’ve either written down the key wrong, or your copy of the key has become corrupted? Simple. You have to turn off FileFault in System Preferences, then turn it back on again. This will take several hours to complete but you’ll generate a new recovery key, that you can jot down properly this time.



Know better?