FileVault Key Escrow – Utilizing Active Directory or Open Directory (Part 2)

April 11, 2012 by Christopher Silvertooth

Alright folks.  I have version 1.0.5 of the script done.  It isn’t the most beautiful thing but it gets the job done.  I think I added enough checks into the script that will make you aware of any possible reasons it will fail and if it does for some reason I hope the fail safes I have will be enough.

Here is the link for the script.  Check back frequently as I will be updating often.

In order for this to work properly you need to be bound to a directory server, either Active Directory or Open Directory, and have the Cauliflower Vest command line binary ( csfde )installed in /usr/local/bin.  You also need to run this from an account with Admin privileges ( preferably the account that will be used daily on the computer ) and have a AD/OD account available that has rights to bind a machine to the directory server.

This script isn’t for the faint of heart and you should be fairly familiar with the command line plus have a decent grasp of bash/shell programming.  This is useful if you want to tweak the script so that it has fewer prompts.

If you have these requirements then the script should at least attempt to work.  I have tested this against both Active Directory and Open Directory and it seems to work fine.  Once you validate that your key is safe you should probably delete the RecoveryKey.plist in /usr/local/key.  That said, I would love constructive feedback or information on problems or enhancements.



Here is a video of it working.  FV-OD-Demo

apple / google / Mac Fixes


  1. […] that are required only are available in 10.8.  If you need a version that works in 10.7 click here. Here is the link to version […]

Leave a Reply

Your email address will not be published. Required fields are marked *