Skip to content Skip to site navigation Skip to service navigation

Missing Encryption Recovery Key FAQ

Frequently asked question

Answers to frequently asked questions

What is the problem?

Some encryption recovery keys for macOS and Windows computers that were backed up using the Stanford Whole Disk Encryption service are not available for retrieval in MyDevices, although they should be. Correcting the problem will in many cases require action on the part of affected users.

What is an encryption recovery key and why is it important?

If you're ever locked out of an encrypted macOS or Windows computer, e.g., because you've forgotten the necessary password, you will need an encryption recovery key to unlock it. In most cases, Stanford users should have their keys securely backed up by University IT (also known as "key escrow"), so that they can be retrieved in MyDevices.

Note that VLRE users, during installation of the VLRE software, can choose not to escrow their recovery keys, although it's strongly recommended that they do so.

Who is affected by the missing recovery key problem?

Anyone who encrypted a macOS or Windows computer using Stanford-provided software (i.e., SWDE or VLRE) could find that the encryption recovery key for that computer isn't retrievable in MyDevices. Mobile devices are not affected.

Will device compliance be affected by this problem?

No. It is not required that a device's encryption recovery key be backed up in MyDevices for the device to be compliant.

What should I do to correct this problem?

You can first check to see if any device belonging to you does not have a key available for retrieval in MyDevices. If you find a device for which a key should be available but is not, you can fix the problem by downloading and running the Key Escrow Tool for Mac or the Key Escrow Tool for Windows. The tool must be run on each device whose key is missing.

In some cases you might see an alert that will appear on your affected macOS devices' desktops requesting that you run the Encryption Recovery Key Escrow Tool. The tool would then be delivered automatically using BigFix. BigFix is required for devices subject to Stanford's compliance rules, if those devices are not using VLRE.

alert that displays when BigFix is deploying the Key Escrow Tool

You can verify that a device's key has successfully been escrowed by checking its Device Details page in MyDevices, bearing in mind that there will be a delay of up to 8 hours between the time you run the Encryption Recovery Key Escrow Tool and the time the key can be retrieved in MyDevices.

How can I tell if a device's recovery key is in MyDevices?

You can tell whether a particular device has a recovery key available for retrieval by looking in MyDevices. For each device, check the Device Details page by clicking the Model name. The Encryption Status line will state "Encryption key not available for the device" if there's no key in escrow, and otherwise you'll see a link to retrieve the key.

device information showing encryption status

Users who have one or more devices with missing recovery keys will also see an announcement on their MyDevices main page listing the names of the affected devices. Clicking on a device name will bring up its Details page.

announcement listing names of devices with recovery keys not backed up

Will affected users be notified?

Yes. Starting on April 20, 2017 there will be an announcement displayed on the MyDevices main page for affected users, which will list each device for which a key is missing. There will be broad outreach to the university's technical support community. Eventually affected users who have not already taken action may be notified directly by e-mail.

What caused the missing recovery key problem in MyDevices?

A bug in the Stanford Whole Disk Encryption (SWDE) desktop application for macOS and Windows, which was fixed in December 2016, was sometimes causing recovery keys not to be stored in MyDevices.

The problem at first was only apparent when someone tried to retrieve a key. Now there's a clear indication in MyDevices that a given device's recovery key is or is not available for retrieval.

What is key escrow?

Key escrow is secure storage by Stanford University IT of encryption recovery keys for specific devices, so that they may be retrieved from MyDevices when needed. Only the person whose device's key is in escrow can retrieve the key, absent extraordinary circumstances. Recovery keys are stored in encrypted form.

What happens if I use VLRE and choose not to escrow a key?

You will need to save your encryption recovery key by some other means, such as writing it down on a piece of paper that's stored in a secure location that's reliably accessible to you. You can also escrow keys with other services, such as that provided by Apple for macOS devices.

What if I'm running a version of macOS prior to 10.9.5?

For versions of macOS prior to 10.9.5, you will either have to enter the device's existing recovery key manually in the Encryption Recovery Key Escrow Tool, assuming you have the key, or else you'll have to decrypt and re-encrypt the device using SWDE. The software will guide you through the process.

What if I'm prompted for a password I don't have?

If the Encryption Recovery Key Escrow Tool prompts you for an administrator password that you don't have, you will probably need to get assistance from your local technical support group.

What if MyDevices shows there's a missing key, but the Key Escrow Tool shows there's not?

In some cases MyDevices might report that a device's encryption recovery key is missing, but when you run the Key Escrow Tool on that device, the tool will report that the key is already backed up. In this situation the information in MyDevices may be incorrect, so if possible you should wait a day and look in MyDevices once again.

If the key still appears to be missing, you can use the Key Escrow Tool to create a new recovery key. If you create a new key, it should appear in MyDevices within 12 hours. If you need help, please contact IT support.

What if I need help?

If you need further assistance, please contact your local IT support, submit a Help ticket, or call 725-HELP (5-4357).

Last modified September 15, 2017