Home > Wiki Tips

Institutional Recovery Key: What Is Institutional Recovery Key And How to Use It?

Updated on Friday, June 14, 2024

iBoysoft author Anna Yuan

Written by

Anna Yuan
Professional tech editor

Approved by

Jessica Shee


Summary: This post will give you a complete introduction to the FileVault institutional recovery key. After you read this post, you will know what is institutional recovery key and how to create and use the institutional recovery key.

What Is Institutional Recovery Key

As a Mac user, you may have heard of Apple FileVault, a feature of Mac to securely protect your Mac. You may have used it to encrypt your Mac startup disk and get a recovery key. But do you know there is another key named the institutional recovery key(IRK) of FileVault?

If you have no idea, you can read this post to know the complete introduction to FileVault IRK. After you read this post, you will know what is institutional recovery key, and how to create, remove and use it.

What is the institutional recovery key

When FileVault 2 was announced initially, Apple stated that there would be two kinds of recovery keys available in it: PRK and IRK. A personal recovery key (PRK) is automatically generated at the time of encryption. Normally, it is an alphanumeric string and can be used to unlock your startup disk if you forget your FileVault password. We usually call it the FileVault recovery key.

An Institutional recovery key (IRK) is another thing. IRK is a pre-made recovery key that can be installed on a system prior to encryption and is most often used by a company, school, or institution to have one common recovery key that can unlock their managed encrypted systems. PRK itself can unlock a machine, but the institutional recovery key is used in combination with a password to unlock the keychain. 

To have a deeper understanding of the institutional recovery key, just keep reading the next part to learn how to create/remove the FileVault IRK on Mac as well as how to use IRK to unlock Mac's startup disk.

Would you please share this post on your social media, thanks!


How to create a FileVault institutional recovery key

To create a FileVault institutional recovery key on your Mac or MacBook, just do the following:

  1. Go to Finder, open Applications > Utilities, and launch the Terminal app on your Mac,
  2. Enter the below command and press the Enter key:security create-filevaultmaster-keychain ~/Desktop/FileVaultMaster.keychain
  3. Enter the master password for the new keychain when asked, then enter it again when asked to retype.
  4. A key chain now is generated, and a file named FileVaultMaster.keychain is saved to your desktop. Copy this file to a secure location, such as an external hard drive. It is the private recovery key that can be used to unlock the startup disk of any Intel-based Mac set up to use the FileVault master keychain. It is not for distribution. 

How to remove the IRK from the master keychain

If you need to remove FileVault IRK, follow these steps:

  1. Double-click the FileVaultMaster.keychain file on your desktop. The Keychain Access app will launch.
  2. From the Keychain Access sidebar, select FileVaultMaster.
  3. If the FileVaultMaster keychain is locked, choose File > Unlock Keychain "FileVaultMaster" from the menu bar, then enter the master password you created.
  4. From the two items shown on the right, select the one identified as "private key" in the Kind column.
    remove Institutional Recovery Key
  5. Delete the private key: Choose Edit > Delete from the menu bar, enter the keychain master password, then click Delete when asked to confirm.
  6. Quit Keychain Access.

Now the FileVault master keychain on your desktop has been removed and should no longer contain the private key.

If you find this post helpful, please share it with more people!


How to use IRK to unlock a user's startup disk

To use the private key to unlock a user's startup disk, make sure you follow the below methods step by step:

  1. On the Mac or MacBook you want to unlock, start up the computer while holding the T key to boot into Mac Target Disk Mode. Release the T key once you see the Thunderbolt logo.
  2. Connect the Mac to another Mac (the host) using a Thunderbolt 3 (USB-C) cable. When you're asked to enter a password to unlock the disk, click Cancel.
  3. On the host Mac, connect the external drive that contains the private institutional recovery key
    If you stored the private recovery key in an encrypted disk image, double-click the file to mount the image and enter the password when prompted. 
    If you don't know the name of the startup volume (such as Macintosh HD) on the disk you want to unlock, open Disk Utility, then locate the volume name in the sidebar. You will need this information in the next step.
  4. Open Terminal, then type in the following command to unlock the encrypted startup disk. Replace "name" with the name of the startup volume, and replace /path with the path to FileVaultMaster.keychain on the external drive or disk image:diskutil ap unlockVolume "name" -recoveryKeychain /pathHere's an example for a startup volume named Macintosh HD and a recovery-key volume named GDrive:diskutil ap unlockVolume "Macintosh HD" -recoveryKeychain /Volumes/GDrive/FileVaultMaster.keychain
  5. Input the master password to unlock the startup disk. If the password is accepted, the volume should mount on the Mac Desktop.