The personal recovery key is generated when FileVault 2 encryption is enabled and remains valid until the personal recovery key is changed or the disk is decrypted using that key.
To view an escrowed recovery key, perform the following within the Device Details page on the UEM console.
- Select the Security tab.
- Select View Recovery Key.
- Note the Personal Recovery Key that is escrowed.
- If required, note the Previous Recovery Key. The Previous Recovery Key field is loaded with the old key only if the Personal Recovery Key had been rotated at least once.
- Close when finished viewing the key.
If an encrypted macOS volume is decrypted and then re-encrypted, then the previous personal recovery key would become invalid and a new one is created as part of the re-encryption process.