What Is A Recovery Key On Mac

Mac recovery key commands

We explained way back in 2014 why you might want to have an Apple ID recovery key. In those days, it was an extra precaution you could take against getting locked out of your account.

Apple abandoned recovery keys when it switched to a smarter two-factor authentication process, before reintroducing them in a new form in iOS 14. However, they now work in a different way. You definitely won’t want to enable one now, and you may not want to do so ever …

Macworld has a lengthy explanation of why that is, beginning with why you shouldn’t do it now.

  1. It is a 24 digit alpha numeric code that lets you into filevault if you forget your filevault password.
  2. It’s worth checking your recovery key is where you think you stored it, just in case. It’s better to find out you don’t have the key while you can still access the account, not once you’re locked.

When I got my new MacBook Pro and was setting it up there was one part during the initial setting up a new computer process where a 'recovery key' was created and I was given the option of storing it with Apple. Now my only issue is that I have no idea what this recovery key was for.

Apple has updated necessary pieces of iOS, iPadOS, and macOS to let you set a recovery key. But weeks after iOS 14 and iPadOS 14 were released, the Apple ID support sites, Apple Support app, and Find My app remain out of date with the use of this newly revived recovery key, even though various support documents have been updated to explain correctly some of the details of how it’s intended to work.

I recommend not enabling a recovery key until Apple has fully updated its ecosystem to explain and support the feature.

But it goes on to explain that the key now works in a different way. First, if you enable a recovery key, you will need to use it if you ever need to reset your Apple ID password. Normally, you can approve this from one of your trusted devices, but with the recovery key enabled, you need that plus a trusted device. Lose your key, and you lose your ability to reset your password. That warning is not currently given in the Settings app, which instead says that it is either/or, as it used to be.

Don’t think you can regenerate your recovery key if you lose it, either.

The key is only shown once ever. An encrypted form of the code is all that Apple retains, and there’s no way to ever retrieve the original key if you didn’t record it when it was displayed initially.

Recovery Key For Macbook Air

Second, should the worst happen and someone manages to change your password using one of your trusted devices and your passcode, Apple will no longer be able to help.

Without a recovery key, Apple offers a special Apple ID recovery process, which is intentionally designed to take time and require substantial documentation to prevent identity theft. Couch tuner free movie snowpiercer 2013 download no registration online.


With a recovery key, this last-ditch option is no longer available. If you lose all access to your trusted devices, through accidental loss, theft, or natural disaster, your Apple ID account is completely irretrievable. So you need to balance the increased account integrity you would gain against the potential of losing your account forever in the worst circumstance.

What Is A Recovery Key On Mac

If you are considering the use of a recovery key, I recommend reading the entire piece first.

FTC: We use income earning auto affiliate links.More.

What Is A Recovery Key On Mac Desktop

With IT admins beginning to implement FileVault for Full Disk Encryption (FDE), a key step in the process is to escrow Recovery Keys. Escrow is a handy way to ensure that a locked out user doesn’t remain that way. As we all know, a forgotten password can mean loss of data and frustrated users in conjunction with FDE. Now, there is a simple Mac® FileVault® key escrow service that IT admins can leverage to stay ahead of forgotten passwords and their ramifications.

Full Disk Encryption Primer

FDE is an important security mechanism for IT admins, but it can often be hard to implement. In fact, with Apple’s most recent changes to the FileVault enablement process, it is even more difficult than before. What we’re talking about here is the fact that IT admins can only implement FileVault for users with a Secure Token. For more information on Secure Token and why it is critical to understand before enabling FileVault, check out our detailed resources: a support article and product update blog.

Once FileVault has been enabled the hard disk and data are not accessible without the proper password. Apple created a recovery process so that if and when a password is forgotten, the data is not lost forever. But, that process can be confusing. In order to log back in to a Mac® without the correct password, a user would require either a Personal or Institutional Recovery Key. A Personal Key is automatically generated a the time FileVault is enabled unless there is an Institutional Key already installed on the system. It can be a convoluted process, but we will describe the two keys below.

Two Types of FileVault Keys


For our sake, we will start with the Personal Key. A Personal Key is made to unlock an individual endpoint if and when a password is forgotten. Of the two types, the Personal Key is much more secure. That’s because it is not shared. But, it is not without its faults. Because of its individual nature, maintaining copies of this highly sensitive key is a difficult task. What are IT admins to rely upon? Spreadsheets, sticky notes, and safes?

What Is A Recovery Key On Mac

The second is an Institutional Key; this key is an organization-wide key that can be used to unlock an organization’s Mac endpoints with FileVault enabled. Institutional Keys are manually generated, and as stated above, are less secure due to their shared nature. Additionally, the Institutional Key must be installed independently on each system in order to decrypt a volume where a password has been forgotten. What this results in is a mess of work. Clearly, the process of managing Recovery Keys for large organizations can represent significant pain points.

Macos Boot Options

Simplified Key Management

From this challenge of managing keys, a cloud identity management platform has emerged to help simplify these management chores. What JumpCloud® Directory-as-a-Service® has created is a secure, cloud-based FileVault Key Escrow service. This Mac user and system management solution can create policies to enable FileVault and safely store Personal Recovery Keys. JumpCloud only manages Personal Keys and does not manage Institutional Keys.

The fear that IT admins had to live with has to do with their users writing their Personal Recovery Keys on sticky notes and hiding them in a filing cabinet or under their keyboard or that they as admins were stuck holding the bag on securely vaulting all of these keys. With JumpCloud’s Key Escrow service, that worry is eliminated. As a cloud directory service, FDE policies are a core part of its GPO-like cross-platform system management functions within Directory-as-a-Service. All IT admins have to do is simply turn on the FileVault policy and the escrowed Personal Keys are securely stored and only displayed when needed. Cool, right?

What Is A Recovery Key On Mac Laptop

Learn More About JumpCloud®

Security is baked into everything JumpCloud does, and the Mac FileVault Key Escrow service is a key feature of that stance. If you’re eager to see how a cloud directory service solution can drastically up the security posture of your organization, feel free to reach out. Alternatively, you can check our Knowledge Base and YouTube channel for helpful hints, best practices, and informative whiteboard videos. For those who want to just get to work and manage users, sign up for a free account today. Our free account will allow you to manage up to 10 users for free, forever. No credit card required.