Zecurit supports full FileVault disk encryption management on macOS devices through remote script execution. Admins can enable encryption, check status, rotate recovery keys, and disable encryption, all from the Zecurit dashboard without any action required on the end-user device.
Scripts
Download both scripts and upload them to your Zecurit remote script library.
Script File
Purpose
Script File
filevault_enable.sh
Enables FileVault with password and escrows the recovery key
Contact Support
filevault_manager.sh
Status check, disable, key rotation, and key retrieval
Contact Support
Action Reference
The table below maps each Zecurit dashboard action to the corresponding script and command.
Zecurit UI Action
Script to Execute
Description
Enable FileVault
filevault_enable.sh
Enables FileVault encryption and escrows the recovery key
Check Status
filevault_manager.sh status
Reports current encryption state, progress %, and key info
Disable FileVault
filevault_manager.sh disable
Starts decryption process in the background
Rotate Recovery Key
filevault_manager.sh rotate-key
Generates a new Personal Recovery Key and escrows it
Retrieve Escrowed Key
filevault_manager.sh get-key
Retrieves the locally escrowed recovery key
Setup & Configuration
Step 1 : Upload Scripts to Zecurit
Log in to the Zecurit Admin Console.
Navigate to Manage → Script Repository-> Templates →
Search File Vault Manager
Add both filevault_enable.sh and filevault_manager.sh to My Scripts
Step 2 : Configure the Enable Script
The filevault_enable.sh script requires the target user’s password to authenticate with FileVault. Pass it as an environment variable in your Zecurit script payload:
# Set this in the Zecurit script environment variables section FILEVAULT_USER_PASSWORD=”user_login_password_here”
# Then execute: sudo bash filevault_enable.sh
⚠ Security Note: Always pass the password via an environment variable — never hardcode it in the script body. Zecurit encrypts environment variables at rest and in transit.
Step 3 : Configure Recovery Key Escrow (Optional)
By default, the recovery key is saved to the user’s Desktop and logged to /var/log/filevault_manager.log. To push the key directly to your backend, edit the escrow_key() function in filevault_manager.sh and uncomment the curl block:
# In filevault_manager.sh — escrow_key() function: curl -s -X POST “https://YOUR_MDM_ENDPOINT/api/filevault/escrow” \ -H “Authorization: Bearer YOUR_MDM_TOKEN” \ -d “{\”serial\”:\”$SERIAL\”,\”recovery_key\”:\”$key\”}”
Action Details
Enable FileVault
Enables FileVault disk encryption on the target Mac. The script authenticates with the logged-in user’s credentials, initiates encryption, and captures the Personal Recovery Key (PRK).
Passes credentials securely via fdesetup -inputplist (Apple’s only supported method)
Captures the Personal Recovery Key from the output plist
Prints recovery key between ESCROW_KEY_START / ESCROW_KEY_END markers for Zecurit to scrape
Saves key to user’s Desktop at ~/Desktop/FileVault_Recovery_Key.txt
Note: FileVault encryption runs in the background after enabling. The Mac remains fully usable during this process. Encryption time depends on disk size (typically 15 min – 2 hours).
Check Status
Returns the current FileVault state as a JSON object, suitable for automated parsing by the Zecurit agent.
Initiates FileVault decryption. The disk will be decrypted in the background. The Mac remains usable throughout the process.
sudo bash filevault_manager.sh disable
⚠ Important: Decryption can take as long as the original encryption. Do not force-restart the Mac during this process. Run the status action to monitor progress.
Rotate Recovery Key
Generates a new Personal Recovery Key, invalidating the old one. The new key is automatically escrowed. Use this action periodically or after a security event.
sudo bash filevault_manager.sh rotate-key
What happens:
Calls fdesetup changerecovery -personal to generate a new PRK
Writes the new key to /Library/Preferences/com.company.filevault.escrow.plist
Returns the new key in the JSON response for Zecurit to store
Old key is immediately invalidated
Retrieve Escrowed Key
Retrieves the recovery key that was saved locally during the last enable or rotate action. Useful if the key was not captured by the Zecurit agent at enable time.
sudo bash filevault_manager.sh get-key
Recommended Workflow
1
Admin clicks “Enable FileVault” in the Zecurit dashboard for a target device.
2
Zecurit sets FILEVAULT_USER_PASSWORD in the environment and executes filevault_enable.sh on the device.
3
Script enables FileVault, captures the recovery key, and prints ESCROW_KEY_START…ESCROW_KEY_END.
4
Zecurit agent scrapes the output and stores the recovery key securely in the admin console.
5
Admin runs the status action periodically to monitor encryption progress.
6
Once encryption_in_progress returns false, FileVault is fully active.
7
Admin rotates the recovery key periodically using the rotate-key action.
Troubleshooting
Error / Symptom
Resolution
ERROR: No standard user logged into the GUI
The script requires an active user session. Ensure the user is logged into the Mac (not at the login screen) before running.
ERROR: Incorrect password
The FILEVAULT_USER_PASSWORD value doesn’t match the user’s current login password. Update it in the Zecurit script payload.
FileVault is already enabled (skipped)
No action needed. The device is already encrypted. Run the status action to confirm.
UI shows ‘Turn On FileVault’ but script says enabled
This is a known macOS UI display lag. Trust the script output. Verify using Disk Utility → select volume → check ‘Encrypted: Yes’.
Key rotation fails
FileVault must be fully enabled (not in progress) before rotating keys. Run status first and check encryption_in_progress is false.
Script exits with no output
Ensure the script is executed with sudo. Non-root execution will exit silently on some macOS versions.