|Managing Mac endpoints / About SafeGuard File Encryption for Mac|
If all FileVault-enabled users on a particular system forget their passwords, other credentials are not available and there is no recovery key available, then the encrypted volume cannot be unlocked and the data is inaccessible. Data may be lost permanently, so proper recovery planning is essential.
A new recovery key is generated during each activation of disk encryption. Without Sophos SafeGuard Native Device Encryption being installed at the time of the encryption, it is displayed to the user who consequently is responsible for its protection against loss. With Sophos SafeGuard Native Device Encryption, it is securely sent to the SafeGuard Enterprise backend and stored centrally. The security officer can retrieve it whenever needed. See Reset forgotten password.
But even if SafeGuard Native Device Encryption was not installed when the disk was encrypted, the recovery key can be managed centrally. Therefore it is necessary to import it. The relevant command line option is sgdeadmin --import-recoverykey, see also Command line options. The recovery key will be sent in upper case.
If there is an institutional recovery key present, it can be used for recovery as well. For more information see OS X: How to create and deploy a recovery key for FileVault 2 at support.apple.com/kb/HT5077