Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 5 subscribers
  • Views 17902 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No Valid Recovery Key - Use sgdeadmin to import Filevault 2 recovery key

DC_IT_Manager

I was given a Macbook Air to add to our SafeGuard Server.  After the installation, I received the above error:

No Valid Recovery Key - Use sgdeadmin to import Filevault 2 recovery key

Although the user doesn't remember ever turning on Filevault, it would appear that the drive was already encrypted when I received the unit.  It immediately showed up in the SafeGuard Server as "Encrypted."  Not "Encrypting."  So basically, I installed Safeguard on a Mac that was already encrypted with Filevault 2.  The user denies turning it on, but there it is.  

The Safeguard menu on the Mac has the "Decrypt System Disk" greyed out.  

Short of wiping the hard drive and starting over, which would not be good, what are the implications of not having a stored key and this error popping up every time you login?  Her account works.  I created a local admin account that works.  The drive is encrypted.  The unit talks to the Safeguard server without error.  Other than the warning, what are the risks?

There's just no recovery key?  

Also, would this link be valid to the issue?

/search?q= 52140

Is there something I can export from the server and import into the Mac?

Upon googling the issue, the 7.0 documentation states:

Disk Encryption tab

Click on Disk Encryption to display information about the current policies and the status of the Mac client. The first window section tells you whether the system disk should be encrypted according to the policy set by the security officer. The second window section displays the status of the Mac client.

This can be one of the following:

■ The system disk is encrypted and a centrally stored recovery key is available.

■ The system disk is encrypted but there is no centrally stored recovery key available.

■ The system disk is not encrypted.

At the bottom, a button Decrypt System Disk is displayed. It will be enabled if FileVault 2 is enabled, the current user is active in FileVault 2 and the security officer has set a policy defining that no encryption is necessary for the client.

Note: If there is no centrally stored recovery key available, the helpdesk cannot assist with password recovery.Therefore, the recovery key should be imported using the command line tool: sgdeadmin --import-recoverykey. If the recovery key is unknown by the user as well as the security officer, decryption and subsequent encryption of the disk will be necessary in order to create a new recovery key

:57396


This thread was automatically locked due to age.
  • 0

    Update:

    I contacted support.  They suggested that I uninstall SafeGuard from the Mac.  I did that using the uninstaller dmg.  Then I went into Filevault and turned off Filevault.  The machine then rebooted.  I logged back in and the HD is decrypting.

    It seems to be decrypting quickly, so I should be able to wait until it's done - and then reinstall Safeguard, which should allow for a "managed" encryption as opposed to "unmanaged with no key"

    While the process isn't complete, it looks promising.  

    :57403

    Adam in DC

  • 0

    Update:

    Success.  Unit is now re-encrypting, but it is managed by the server and there are no error messages about recovery keys.

    :57404

    Adam in DC

Unfiltered HTML