FileVault is a robust full-disk encryption system that Apple released way back with Mac OS X 10.7 Lion. It encrypts all the data on your disk at rest, so when your Mac is fully shut down, its data is unrecoverable without an approved account’s password or a Recovery Key.
Some readers trying to turn on or disable FileVault have been met with the message:
A recovery key has been set by your company, school or institution.
What perplexes them is that this occurs on a personal Mac, one that has never belonged to a company, school, or institution.
The answer appears to be that two files can remain from previous installations, sometimes apparently when you make a disk clone and restore it to a new Mac. These files confuse macOS into thinking the system is under management, with the disk encryption controlled by an administrator.
However, the problem appears easy enough to solve.
To enable personal FileVault
For most users, it’s a simple process:
- In the Finder, choose Go > Go To Folder.
- Paste in
/Library/Keychains and click Go.
- In the folder that appears, remove two files:
You should then be able to proceed.
To switch active, managed FileVault
If FileVault is already enabled, you need to try a command-line solution instead. Launch Terminal and then copy and paste the following commands with a Return at the end. You will be prompted at least once for your administrative password:
sudo fdesetup removerecovery -institutional
sudo fdesetup changerecovery -personal
The second command will produce a fresh Recovery Key, which you must write down or otherwise retain. It’s the only backup option besides an authorized account and password to recover a disk, and often must be used in a pinch. Preserve it as your last line of defense for disk recovery.
This Mac 911 article is in response to a question submitted by Macworld reader Steve.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to email@example.com including screen captures as appropriate, and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.