{"id":13742018,"url":"https://github.com/macadmins/escrow-buddy","last_synced_at":"2026-01-12T06:32:24.706Z","repository":{"id":174753854,"uuid":"650653291","full_name":"macadmins/escrow-buddy","owner":"macadmins","description":"A macOS authorization plugin that helps MDM administrators ensure valid FileVault keys are escrowed for all their Macs.","archived":false,"fork":false,"pushed_at":"2024-08-25T15:19:22.000Z","size":3535,"stargazers_count":237,"open_issues_count":2,"forks_count":15,"subscribers_count":17,"default_branch":"main","last_synced_at":"2025-06-09T05:46:19.015Z","etag":null,"topics":["authorization-plugin","filevault","full-disk-encryption","loginwindow","macadmin","macos","mdm","personal-recovery-key"],"latest_commit_sha":null,"homepage":"","language":"Objective-C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/macadmins.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-07T14:16:23.000Z","updated_at":"2025-06-05T13:02:17.000Z","dependencies_parsed_at":null,"dependency_job_id":"a9c1b0ef-2e4c-464d-a21b-9dd3cc4f29af","html_url":"https://github.com/macadmins/escrow-buddy","commit_stats":null,"previous_names":["macadmins/escrow-buddy"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/macadmins/escrow-buddy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macadmins%2Fescrow-buddy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macadmins%2Fescrow-buddy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macadmins%2Fescrow-buddy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macadmins%2Fescrow-buddy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/macadmins","download_url":"https://codeload.github.com/macadmins/escrow-buddy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/macadmins%2Fescrow-buddy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28336316,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T06:09:07.588Z","status":"ssl_error","status_checked_at":"2026-01-12T06:05:18.301Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorization-plugin","filevault","full-disk-encryption","loginwindow","macadmin","macos","mdm","personal-recovery-key"],"created_at":"2024-08-03T04:01:05.351Z","updated_at":"2026-01-12T06:32:24.691Z","avatar_url":"https://github.com/macadmins.png","language":"Objective-C","readme":"# ![Escrow Buddy](images/escrow_buddy_logo_300px.png)\n\n**Escrow Buddy is a macOS authorization plugin that allows MDM administrators to generate and escrow new FileVault personal recovery keys on Macs that lack a valid escrowed key in MDM.**\n\nFor more context around the problem of missing FileVault keys in MDM and Escrow Buddy's origin, see [this post on the Netflix Tech Blog](https://netflixtechblog.com/escrow-buddy-an-open-source-tool-from-netflix-for-remediation-of-missing-filevault-keys-in-mdm-815aef5107cd).\n\nIf you've successfully deployed Escrow Buddy, we'd love to know the details in [this brief survey](https://forms.gle/cRY3t2cRwZMQtGbb8). Thank you!\n\n---\n\n## Requirements\n\n- Your managed Macs must:\n    - be enrolled in an MDM\n    - have macOS Mojave 10.14.4 or newer\n- Your MDM must:\n    - support FileVault recovery key escrow\n    - deploy a configuration profile with the [FDERecoveryKeyEscrow](https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow) payload\n    - have the ability to install packages and run shell scripts\n\n**NOTE**: Escrow Buddy only works with MDM-based escrow solutions, not escrow servers like Crypt Server or Cauliflower Vest.\n\n---\n\n## Deployment\n\n1. **Ensure you have an escrow profile scoped to all Macs** with the [FDERecoveryKeyEscrow](https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow) payload.\n\n    This will ensure that any newly generated FileVault recovery key, no matter how it's generated, will be escrowed to your MDM server.\n\n1. Use your MDM to **install the [latest Escrow Buddy installer package](https://github.com/macadmins/escrow-buddy/releases/latest)** on your Macs.\n\n    You can choose to install on all Macs or limit to those that need FileVault recovery keys escrowed.\n\n1. Use your MDM to **run this command** (in root context) on Macs that do not have a valid FileVault recovery key escrowed:\n\n        defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true\n\n    It is recommended to have this script run dynamically on Macs that need it using your MDM's dynamic scoping feature. See the [Examples](https://github.com/macadmins/escrow-buddy/wiki/Examples) page for examples.\n\nThat's it! The next time a FileVault-authorized user logs in to the Mac, a new FileVault personal recovery key will be generated and escrowed to your MDM.\n\n---\n\n## Support\n\nSee the wiki for [Frequently Asked Questions](https://github.com/macadmins/escrow-buddy/wiki/FAQ) and [Troubleshooting](https://github.com/macadmins/escrow-buddy/wiki/Troubleshooting) resources.\n\nIf you've read those pages and are still having problems, please search our [issues](https://github.com/macadmins/escrow-buddy/issues) (both open and closed) to see whether your issue has already been addressed there. If not, you can [open an issue](https://github.com/macadmins/escrow-buddy/issues/new?template=default.md).\n\nFor a faster and more focused response, be sure to provide the following in your issue:\n\n- Log output (see [wiki](https://github.com/macadmins/escrow-buddy/wiki/FAQ#how-do-i-view-escrow-buddys-logs) for information on retrieving logs)\n- macOS version you're deploying to\n- MDM (name and version) you're using\n- What troubleshooting steps you've already taken\n\n---\n\n## Contribution\n\nContributions are welcome! To contribute, [create a fork](https://github.com/macadmins/escrow-buddy/fork) of this repository, commit and push changes to a branch of your fork, and then submit a [pull request](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request). Your changes will be reviewed by a project maintainer.\n\nContributions don't have to be code; we appreciate any help maintaining our [wiki](https://github.com/macadmins/escrow-buddy/wiki) or answering [issues](https://github.com/macadmins/escrow-buddy/issues).\n\nAlso, if you've successfully deployed Escrow Buddy at your organization, please consider submitting [our brief survey](https://forms.gle/cRY3t2cRwZMQtGbb8) for measuring the project's community impact.\n\n---\n\n## Credits\n\nEscrow Buddy was created by the **Netflix Client Systems Engineering** team.\n\nThe [Crypt](https://github.com/grahamgilbert/crypt) project was a major inspiration in the creation of this tool — huge thanks to Graham, Wes, and the Crypt team! Jeremy Baker and Tom Burgin's 2015 PSU MacAdmins [session](https://www.youtube.com/watch?v=tcmql5byA_I) on authorization plugins was also a valuable resource.\n\nEscrow Buddy is licensed under the [Apache License, version 2.0](https://www.apache.org/licenses/LICENSE-2.0).\n","funding_links":[],"categories":["Utilities"],"sub_categories":["Escrow Buddy"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmacadmins%2Fescrow-buddy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmacadmins%2Fescrow-buddy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmacadmins%2Fescrow-buddy/lists"}