Contents x
    FileVault Key Rotation
    • 29 Aug 2025
    • 3 Minutes to read
    • Print
    • PDF
    Contents

    FileVault Key Rotation

    • Updated on 29 Aug 2025
    • 3 Minutes to read
    • Print
    • PDF
    Article summary

    FileVault encrypts your macOS device's startup disk, securing your data with a unique Personal Recovery Key (PRK). If you ever forget your password, this recovery key can be used to unlock your device.

    FileVault Key Rotation enhances security by periodically replacing the recovery key with a new one, especially after it has been used or at scheduled intervals.

    Why Rotate the FileVault Recovery Key?

    Rotating the recovery key helps:

    • Reduce the risk if the existing key is compromised.

    • Maintain compliance with internal or industry security policies.

    • Ensure the recovery key remains current and secure.

    How FileVault Key Rotation works

    1. You can configure FileVault to automatically rotate the recovery key after a set period, after it has been accessed.

    2. After rotation, the new key is escrowed to Scalefusion, and users can access it through the dashboard or from an administrator.

    3. Regular key rotation helps to mitigate the risk of unauthorized access to your encrypted data, especially if the original key has been compromised or exposed.

    Pre-requisites

    1. Make sure that you have one of the following:

      1. Business 2025 subscription plan, Or

      2. The feature Filevault Rotation macOS is enabled for your account

    2. macOS device has been enrolled in Scalefusion with the latest Scalefusion MDM Client (agent app for macOS), that is, version 4.29.9

    3. In macOS device profile, FileVault settings should be enabled with Personal or Personal & Institutional as Recovery Key Type

    4. FileVault is enabled on the device itself.

    Configure FileVault Key Rotation Settings

    Step 1: Access Settings in Scalefusion

    1. Sign in to the Scalefusion Dashboard.

    2. Go to Utilities > Global Settings > Apple Settings.

    3. Locate the section FileVault Key Rotation Settings – macOS.
      Note: These settings are applicable only if FileVault is enabled on the device.

    Step 2: Configure Rotation Settings

    Setting

    Details

    Notes

    Enable FileVault Key Rotation

    Enables periodic FileVault key rotation for managed macOS devices.

    When disabled, all other settings are grayed out.

    Rotation Frequency

    Number of days between each key rotation.

    Please enter a rotation frequency value between 1 to 360

    Fallback to User Prompt for Password

    Prompts user for password if silent rotation fails (e.g., no SecureToken-enabled ADE or Global Admin).

    If disabled, the following fields are grayed out:-

    -Maximum Wait Time for User Prompt

    - Prompt Message

    Maximum Wait Time for User Prompt

    Time (in minutes) the agent will wait for user input before marking rotation as failed.

    Please enter a time value between 1 to 60

    Prompt Message

    Message shown to the user during the prompt.

    Enter your message (0–500 characters). This field is editable.

    Validate FileVault Key Periodically

    Enables periodic validation of escrowed FileVault key on the device.

    If disabled, the following fields are grayed out:-

    -Validation Frequency

    - Rotate If Key Is Invalid

    Validation Frequency

    Number of days between each escrow key validation.

    Please enter a validation frequency between 1 to 360

    Rotate If Key Is Invalid

    Automatically triggers key rotation if validation fails.

    1. After configuring the options, click Save Settings.

    FileVault Key Rotation on Device

    Silent Rotation (No User Involvement)

    Key rotation occurs silently if the following are true:

    • Device is enrolled via ADE (Apple Device Enrollment).

    • The Global Admin / Scalefusion-service account has a SecureToken.

    When Silent Rotation Fails

    If the system cannot perform silent rotation:

    1. Ensure the Fallback to User Prompt for Password option is enabled on the dashboard.

    2. The user will receive a prompt listing SecureToken-enabled user accounts.

    3. Here:

      • Select a username.

      • Enter the password.

      • Click Proceed.

    4. Upon successful validation, the key will rotate and sync with the Dashboard.

    Viewing and Managing FileVault Keys from the Dashboard

    1. From the Device Details

    1. Go to Device Details > click the Gear icon > select Full Device Info.

    2. Navigate to the FileVault Info tab.

    Here, you can:

    1. View Personal Recovery Key: Click View Key, enter your Scalefusion Dashboard password, and click Submit.

    2. View FileVault Rotation History: See rotation status, timestamps, and failure reasons (if any). To view,

      1. Click on the icon next to the recovery key.

      2. This Opens a new dialog displaying FileVault key rotation history with details like:

        1. Status: Current status of FileVault key (Rotated, Failed etc.)

        2. Timestamp: The date and time at which rotation of FileVault key was taken into action

        3. Additional Info: Any additional info like the reason for failed rotation, failed key validation etc.

    3. Rotate FileVault Key Manually: Use this option if you want to trigger rotation on-demand.

    2. FileVault Status Report

    • Navigate to the FileVault Status Report section for a summary of:

      • FileVault enablement status

      • Last key rotation

      • Validation success/failure

      • Any pending prompts or issues

    Was this article helpful?
    What's Next
    Ambitious companies around the world trust Scalefusion to secure and manage endpoints including smartphones, tablets, laptops, rugged devices, POS, and digital signages. Our mission is to make Device Management simple and effortless along with providing world class customer support.
    By Business Initiative
    Top Features
    Existing Users
    Connect With Us
    Sales and Support
    Copyright © 2023 Scalefusion. All rights reserved.