To ensure the privacy of FileVault recovery keys, Fleetsmith uses asymmetric encryption so only you have access to your recovery keys. Fleetsmith encrypts your device's Recovery Keys using an encryption certificate generated by you and uploaded to Fleetsmith in two simple steps.
Open your terminal and paste the text below and press Enter.
CN=$(LC_ALL=C tr -dc A-Z0-9 </dev/urandom | head -c 8)
openssl req -newkey rsa:2048 -nodes \
-keyout ~/Documents/FleetsmithFileVaultKeyEncryptionPrivateKey_$CN.pem \
-x509 -days 99999 \
-subj "/CN=Fleetsmith FileVault Key Encryption Cert ($CN)" \
This will generate two files (these will be saved in your Documents folder):
- an RSA private key, which will output to a file named
- a certificate, which will output to a file named
Important: Keep your RSA private key safe. Save this file somewhere where you will not lose it. If you lose this file, you will not be able to decrypt any devices.
Back in the Fleetsmith Admin Console, upload the certificate that you created in step one named FleetsmithFileVaultKeyEncryptionCert.pem.
⚡️ If you choose to create your own encryption certificate instead of using the command in Step 1 above, please note that the file must be a PEM-encoded certificate with an RSA public key of at least 2048 bits.