Is there any chance of a step-by-step explanation of creating a certificate with Certificate Assistant for use with Knox? Great new feature. I’m just a little confused about where to start. Thanks!

The Master Key feature in Knox 1.5 isn’t really ready for prime time yet. The reason it appeared in Knox 1.5 is that it enables administrators in managed environments to deploy Knox on dozens or even hundreds of machines and know that data will be recoverable even if an individual user loses his password. There will be an end-user friendly user interface to this feature in a future Knox release, but for now, you need to do what the professional admins do:

• First, Launch Keychain Access from /Applications/Utilities.
• Choose File > New Keychain…. Name the new keychain “masterkey” and store it on your desktop.
• Enter a secure password for the new keychain. This password along with the posession of the keychain file will give access to all of your vaults.

• From the Keychain Access menu, choose Certificate Assistant.
• Click Continue two times to skip the first two screens.
• On the next screen, enter My Knox Master Key as the Common Name, then click Continue.
• Dismiss the warning about a self-signed certificate with a OK. Click Continue four times.
• Select the keychain “masterkey” from the pull-down menu, then click Continue again.
• The certificate has now been created. Click Done to quit the Certificate Assistant.

• Find the “My Knox Master Key” certificate from the masterkey keychain, select it and click File > Export….
• In the Save dialog, navigate to Library/Application Support under your home folder. Create a new folder “Knox”.
• Enter the name “Knox” on the Save As: field and make sure that you have chosen the “Certificate (.cer)” file format.
• Click Save.
• Select the masterkey keychain from the Keychains list, then click File > Delete Keychain “masterkey”.
• Click Delete References, not Delete References & Files.

Any vault you create can now be opened with the Master Key. The New Vault dialog states this: This vault can also be opened with a master key. You can copy the Knox.cer file to other computers and accounts, and all vaults created can be opened with the key.

What about recovery?
Knox doesn’t currently offer an user interface to recover a vault with the master key.
You need to go to the Terminal and enter:

hdiutil chpass ”/path/to/my/vault/file.sparseimage” -recover ”/path/to/my/masterkey.keychain”

You will be asked for the password to the Master Key keychain, and then for a new password for the vault.
Finally, the vault will open.

Please do remember that you need both the Master Key keychain and the password to that keychain to open a vault. If you misplace either of those, there is no chance of recovery. Also, please test recovery in practice before relying on it.