Setting a FileVault Master Keychain
You can set a FileVault master keychain to decrypt any account that uses FileVault to encrypt data. You should set a FileVault keychain to ensure that data is not lost in the event of a forgotten password. If you forget the FileVault account password, which is used to decrypt encrypted data, you can use the FileVault master keychain to decrypt the data. To create the FileVault master keychain, set a master password using the Security Preference pane in System Preferences. This creates a keychain called FileVaultMaster.keychain located in /Library/Keychains/.
The FileVault master keychain now contains both a FileVault recovery key (self-signed root CA certificate) and a FileVault master password key (private key). You should delete the private key from FileVaultMaster.keychain, after backing it up. This ensures that even if someone is able to unlock the FileVault master keychain, that person would be unable to decrypt the contents of a FileVault account because no FileVault master password private key is available for the decryption.
Centrally Managing FileVault
Once you modify the FileVault master keychain, you can distribute it to all of your network computers. Distribution is done by transferring FileVaultMaster.keychain to the desired computers in one of these ways: using Apple Remote Desktop, executing a distributed installer on each computer, scripting using various techniques, or just including it in the original disk image if your organization restores systems with a default image.
Copying the FileVaultMaster.keychain file to target computers provides network management of any FileVault account created on any computer with the modified FileVaultMaster.keychain located in the /Library/Keychains/ folder. These computers indicate that the master password is set in Security preferences.
When a new user account is created and the modified FileVault master keychain is present, the public key from the FileVault recovery key is used to encrypt the dynamically generated AES 128-bit symmetric key. The latter key is used for the encryption and decryption of the encrypted FileVault disk image. To decrypt the encrypted disk image, the FileVault master password private key is required to decrypt the original dynamically generated AES 128-bit symmetric key. The user’s original password continues to work as normal.
However, it is assumed that you are using the master password service because the user has forgotten the password, or the organization must perform data recovery from a user’s computer.