The FileVault option in macOS is a fantastic way to enhance the security of your data at rest. It’s full-disk encryption (FDE), meaning that your entire startup volume is locked away when macOS is shut down (not just sleeping) using strong encryption. Without the password that unlocks an account on your Mac that’s authorized to log in with FileVault, there’s no effective way to bring that computer to life.
That’s a problem, however, if you forget the password to all the authorized account or, in some cases I’ve received a few emails about, something goes wrong and the Recovery Disk—used both for “cold start” logins to macOS and to diagnose problems on your startup volume—demands a login that doesn’t work.
In those cases, the recovery key set at the time you turned on FileVault on your Mac can do the trick. But if enough time has passed, you might have forgotten where you stashed the key or how to retrieve it. Macworld reader Elaina falls into that camp. She can’t find the key, and she remembers using the iCloud option to store it, but has examined iCloud Drive and can’t find it. She hasn’t yet been in a situation where she needs it, but she’s concerned that you could wind up locked out and not be able to obtain the recovery key.
This is a problem with security options on systems reliable enough that you don’t have to work with them regularly to refresh your memory. (And it’s why Apple shifted iOS two years ago to require that you enter your passphrase every six days, even if you have Touch ID enabled.)
When you first set up FileVault in the Security & Privacy system preference pane in the FileVault tab, one of the steps asks you whether you want to use your iCloud account as a way to unlock your disk and reset your macOS account password if you can’t find your recovery key.
If you choose iCloud, the recovery key isn’t stored loosely in iCloud Drive or as a file, but it’s tied into behind-the-scenes account information that Apple maintains. It’s fully encrypted in such a way that even Apple doesn’t have access to the unencrypted recovery key data, but Apple can deliver the encrypted recovery key to your Mac if you need to reset your password. You never see the recovery key nor have to enter it in this configuration. (The process is a little involved: Apple describes it in the section “Reset using the Reset Password assistant (FileVault must be on)” in this support document.)
If you choose the other path, where FileVault generates a recovery key and displays it, you need to make sure and write it down or enter it electronically, and store it securely in such a way that you’ll have access even when your Mac can’t be booted. I use 1Password’s secure notes for this purpose, but any method of storage that’s reliable, secure, and accessible will work.
A good strategy would be to set a quarterly reminder to look for your recovery key (and other important passwords and keys you have to store in the same place). If you can’t find it, disable FileVault in macOS and re-enable it. This will take a while, as the entire drive is decrypted and then re-encrypted, but macOS generates an entirely new recovery key, which you can then more carefully note again.
With each of the above situations, if you can’t log into iCloud or you lose the recovery key, your Mac’s files are irretrievable forever, as I wrote about last year.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to email@example.com including screen captures as appropriate, and whether you want your full name used. Every question won’t be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.