{"id":3187,"date":"2026-06-16T09:18:36","date_gmt":"2026-06-16T09:18:36","guid":{"rendered":"https:\/\/zecurit.com\/help\/?post_type=docs&p=3187"},"modified":"2026-06-16T09:18:36","modified_gmt":"2026-06-16T09:18:36","slug":"filevault-encryption-management","status":"publish","type":"docs","link":"https:\/\/zecurit.com\/help\/endpoint-management\/bitlocker-management\/filevault-encryption-management\/","title":{"rendered":"FileVault Encryption Management"},"content":{"rendered":"\n

Zecurit supports full FileVault disk encryption management on macOS devices through remote script execution. Admins can enable encryption, check status, rotate recovery keys, and disable encryption, all from the Zecurit dashboard without any action required on the end-user device.<\/p>\n\n\n\n

Scripts<\/strong><\/h1>\n\n\n\n

Download both scripts and upload them to your Zecurit remote script library.<\/p>\n\n\n\n

Script File<\/strong><\/td>Purpose<\/strong><\/td>Script File<\/strong><\/td><\/tr><\/thead>
filevault_enable.sh<\/strong><\/td>Enables FileVault with password and escrows the recovery key<\/td>Contact Support<\/td><\/tr>
filevault_manager.sh<\/strong><\/td>Status check, disable, key rotation, and key retrieval<\/td>Contact Support<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Action Reference<\/strong><\/h1>\n\n\n\n

The table below maps each Zecurit dashboard action to the corresponding script and command.<\/p>\n\n\n\n

Zecurit UI Action<\/strong><\/td>Script to Execute<\/strong><\/td>Description<\/strong><\/td><\/tr><\/thead>
Enable FileVault<\/strong><\/td>filevault_enable.sh<\/strong><\/td>Enables FileVault encryption and escrows the recovery key<\/td><\/tr>
Check Status<\/strong><\/td>filevault_manager.sh status<\/strong><\/td>Reports current encryption state, progress %, and key info<\/td><\/tr>
Disable FileVault<\/strong><\/td>filevault_manager.sh disable<\/strong><\/td>Starts decryption process in the background<\/td><\/tr>
Rotate Recovery Key<\/strong><\/td>filevault_manager.sh rotate-key<\/strong><\/td>Generates a new Personal Recovery Key and escrows it<\/td><\/tr>
Retrieve Escrowed Key<\/strong><\/td>filevault_manager.sh get-key<\/strong><\/td>Retrieves the locally escrowed recovery key<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Setup & Configuration<\/strong><\/h1>\n\n\n\n

Step 1 : Upload Scripts to Zecurit<\/strong><\/h2>\n\n\n\n
    \n
  1. Log in to the Zecurit Admin Console.<\/li>\n\n\n\n
  2. Navigate to Manage \u2192 Script Repository-> Templates \u2192 <\/strong><\/li>\n\n\n\n
  3. Search File Vault Manager <\/li>\n\n\n\n
  4. Add both filevault_enable.sh<\/strong> and filevault_manager.sh<\/strong> to My Scripts<\/li>\n<\/ol>\n\n\n\n

    Step 2 : Configure the Enable Script<\/strong><\/h2>\n\n\n\n

    The filevault_enable.sh<\/strong> script requires the target user’s password to authenticate with FileVault. Pass it as an environment variable in your Zecurit script payload:<\/p>\n\n\n\n

    # Set this in the Zecurit script environment variables section FILEVAULT_USER_PASSWORD=”user_login_password_here”

    # Then execute: sudo bash filevault_enable.sh<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
    \u26a0 Security Note: <\/strong>Always pass the password via an environment variable \u2014 never hardcode it in the script body. Zecurit encrypts environment variables at rest and in transit.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    Step 3 : Configure Recovery Key Escrow (Optional)<\/strong><\/h2>\n\n\n\n

    By default, the recovery key is saved to the user’s Desktop and logged to \/var\/log\/filevault_manager.log<\/strong>. To push the key directly to your backend, edit the escrow_key()<\/strong> function in filevault_manager.sh<\/strong> and uncomment the curl block:<\/p>\n\n\n\n

    # In filevault_manager.sh \u2014 escrow_key() function: curl -s -X POST “https:\/\/YOUR_MDM_ENDPOINT\/api\/filevault\/escrow” \\ -H “Authorization: Bearer YOUR_MDM_TOKEN” \\ -d “{\\”serial\\”:\\”$SERIAL\\”,\\”recovery_key\\”:\\”$key\\”}”<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    Action Details<\/strong><\/h1>\n\n\n\n

    Enable FileVault<\/strong><\/h2>\n\n\n\n

    Enables FileVault disk encryption on the target Mac. The script authenticates with the logged-in user’s credentials, initiates encryption, and captures the Personal Recovery Key (PRK).<\/p>\n\n\n\n

    FILEVAULT_USER_PASSWORD=”password” sudo bash filevault_enable.sh<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    What happens:<\/strong><\/p>\n\n\n\n

      \n
    • Verifies FileVault is not already enabled<\/li>\n\n\n\n
    • Detects the active GUI user session<\/li>\n\n\n\n
    • Passes credentials securely via fdesetup -inputplist<\/strong> (Apple’s only supported method)<\/li>\n\n\n\n
    • Captures the Personal Recovery Key from the output plist<\/li>\n\n\n\n
    • Prints recovery key between ESCROW_KEY_START<\/strong> \/ ESCROW_KEY_END<\/strong> markers for Zecurit to scrape<\/li>\n\n\n\n
    • Saves key to user’s Desktop at ~\/Desktop\/FileVault_Recovery_Key.txt<\/strong><\/li>\n<\/ul>\n\n\n\n
      Note: <\/strong>FileVault encryption runs in the background after enabling. The Mac remains fully usable during this process. Encryption time depends on disk size (typically 15 min \u2013 2 hours).<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

      Check Status<\/strong><\/h2>\n\n\n\n

      Returns the current FileVault state as a JSON object, suitable for automated parsing by the Zecurit agent.<\/p>\n\n\n\n

      sudo bash filevault_manager.sh status<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

      Example output:<\/strong><\/p>\n\n\n\n

      { “status”: “success”, “filevault_enabled”: true, “encryption_in_progress”: true, “decryption_in_progress”: false, “progress_percent”: “43.7”, “has_institutional_key”: false, “os_version”: “14.5.0” }<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

      Response fields:<\/strong><\/p>\n\n\n\n

      Field<\/strong><\/td>Value<\/strong><\/td>Meaning<\/strong><\/td><\/tr><\/thead>
      filevault_enabled<\/strong><\/td>true \/ false<\/strong><\/td>Whether FileVault is currently on<\/td><\/tr>
      encryption_in_progress<\/strong><\/td>true \/ false<\/strong><\/td>Whether encryption is still running<\/td><\/tr>
      decryption_in_progress<\/strong><\/td>true \/ false<\/strong><\/td>Whether decryption is still running<\/td><\/tr>
      progress_percent<\/strong><\/td>0\u2013100 or null<\/strong><\/td>Encryption\/decryption completion %<\/td><\/tr>
      has_institutional_key<\/strong><\/td>true \/ false<\/strong><\/td>Whether an institutional key exists<\/td><\/tr>
      os_version<\/strong><\/td>e.g. 14.5.0<\/strong><\/td>macOS version on the device<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

      Disable FileVault<\/strong><\/h2>\n\n\n\n

      Initiates FileVault decryption. The disk will be decrypted in the background. The Mac remains usable throughout the process.<\/p>\n\n\n\n

      sudo bash filevault_manager.sh disable<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
      \u26a0 Important: <\/strong>Decryption can take as long as the original encryption. Do not force-restart the Mac during this process. Run the status<\/strong> action to monitor progress.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

      Rotate Recovery Key<\/strong><\/h2>\n\n\n\n

      Generates a new Personal Recovery Key, invalidating the old one. The new key is automatically escrowed. Use this action periodically or after a security event.<\/p>\n\n\n\n

      sudo bash filevault_manager.sh rotate-key<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

      What happens:<\/strong><\/p>\n\n\n\n

        \n
      • Calls fdesetup changerecovery -personal<\/strong> to generate a new PRK<\/li>\n\n\n\n
      • Writes the new key to \/Library\/Preferences\/com.company.filevault.escrow.plist<\/strong><\/li>\n\n\n\n
      • Returns the new key in the JSON response for Zecurit to store<\/li>\n\n\n\n
      • Old key is immediately invalidated<\/li>\n<\/ul>\n\n\n\n

        Retrieve Escrowed Key<\/strong><\/h2>\n\n\n\n

        Retrieves the recovery key that was saved locally during the last enable or rotate action. Useful if the key was not captured by the Zecurit agent at enable time.<\/p>\n\n\n\n

        sudo bash filevault_manager.sh get-key<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

        Recommended Workflow<\/strong><\/h1>\n\n\n\n
        1<\/strong><\/td>Admin clicks “Enable FileVault” in the Zecurit dashboard for a target device.<\/td><\/tr>
        2<\/strong><\/td>Zecurit sets FILEVAULT_USER_PASSWORD in the environment and executes filevault_enable.sh on the device.<\/td><\/tr>
        3<\/strong><\/td>Script enables FileVault, captures the recovery key, and prints ESCROW_KEY_START…ESCROW_KEY_END.<\/td><\/tr>
        4<\/strong><\/td>Zecurit agent scrapes the output and stores the recovery key securely in the admin console.<\/td><\/tr>
        5<\/strong><\/td>Admin runs the status action periodically to monitor encryption progress.<\/td><\/tr>
        6<\/strong><\/td>Once encryption_in_progress returns false, FileVault is fully active.<\/td><\/tr>
        7<\/strong><\/td>Admin rotates the recovery key periodically using the rotate-key action.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

        Troubleshooting<\/strong><\/h1>\n\n\n\n
        Error \/ Symptom<\/strong><\/td>Resolution<\/strong><\/td><\/tr><\/thead>
        ERROR: No standard user logged into the GUI<\/td>The script requires an active user session. Ensure the user is logged into the Mac (not at the login screen) before running.<\/td><\/tr>
        ERROR: Incorrect password<\/td>The FILEVAULT_USER_PASSWORD value doesn’t match the user’s current login password. Update it in the Zecurit script payload.<\/td><\/tr>
        FileVault is already enabled (skipped)<\/td>No action needed. The device is already encrypted. Run the status action to confirm.<\/td><\/tr>
        UI shows ‘Turn On FileVault’ but script says enabled<\/td>This is a known macOS UI display lag. Trust the script output. Verify using Disk Utility \u2192 select volume \u2192 check ‘Encrypted: Yes’.<\/td><\/tr>
        Key rotation fails<\/td>FileVault must be fully enabled (not in progress) before rotating keys. Run status first and check encryption_in_progress is false.<\/td><\/tr>
        Script exits with no output<\/td>Ensure the script is executed with sudo. Non-root execution will exit silently on some macOS versions.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

        <\/p>\n","protected":false},"featured_media":0,"parent":3017,"menu_order":7,"comment_status":"open","ping_status":"closed","template":"","doc_tag":[],"class_list":["post-3187","docs","type-docs","status-publish","hentry"],"comment_count":0,"_links":{"self":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3187","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/types\/docs"}],"replies":[{"embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/comments?post=3187"}],"version-history":[{"count":2,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3187\/revisions"}],"predecessor-version":[{"id":3189,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3187\/revisions\/3189"}],"up":[{"embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3017"}],"prev":[{"title":"Encryption Pre-Requisites","link":"https:\/\/zecurit.com\/help\/endpoint-management\/bitlocker-management\/encryption-prerequisites\/","href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3069"}],"wp:attachment":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/media?parent=3187"}],"wp:term":[{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/doc_tag?post=3187"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}