To ensure the privacy of FileVault recovery keys, Fleetsmith uses asymmetric encryption so only you have access to your recovery keys. Fleetsmith encrypts your device's Recovery Keys using an encryption certificate generated by you and uploaded to Fleetsmith in two simple steps.
Important: The encryption cert and private key are a matching pair. If a new encryption certificate is generated only the private key generated with it will work, and so on. If there are other admins on your team who need access to the private key, a password manager is a secure way to store that key in a shared place with other admins can access it if necessary. Generating their own encryption cert and private key pair will invalidate the previous pair.
Open your terminal and paste the text below and press Enter.
CN=$(LC_ALL=C tr -dc A-Z0-9 </dev/urandom | head -c 8)
openssl req -newkey rsa:2048 -nodes \
-keyout ~/Documents/FleetsmithFileVaultKeyEncryptionPrivateKey_$CN.pem \
-x509 -days 99999 \
-subj "/CN=Fleetsmith FileVault Key Encryption Cert ($CN)" \
This will generate two files (these will be saved in your Documents folder):
- an RSA private key, which will output to a file named
- a certificate, which will output to a file named
Important: Keep your RSA private key safe. Save this file somewhere where you will not lose it. If you lose this file, you will not be able to decrypt any devices.
Back in the Fleetsmith Admin Console, upload the certificate that you created in step one named FleetsmithFileVaultKeyEncryptionCert.pem.
⚡️ If you choose to create your own encryption certificate instead of using the command in Step 1 above, please note that the file must be a PEM-encoded certificate with an RSA public key of at least 2048 bits.