How to remove your FileVault recovery key from iCloud

You can use Apple iCloud for escrow, but here's how to store the key stored locally if you change your mind.

filevault2 mac icon
Apple

FileVault offers the fantastic option in macOS to encrypt your entire drive. With modern Macs, starting now several years ago, that whole-disk encryption allows nearly the same performance as with an unencrypted drive due to hardware-based accelerated cryptographic calculations.

To avoid losing your files forever if you forget your password or lose it from a stored location, macOS offers to either reveal to you a special Recovery Key that you have to make a record of, or—starting with Yosemite—lets you use iCloud to unlock your drive. (There’s a special Mavericks-only option that requires answering security questions; read this Apple support note for details, especially the footnote at the end.)

mac911 filevault recovery key choice apple Apple

Apple gives you the option to escrow your Recovery Key.

The Recovery Key works at a “cold” startup after your Mac has been shut down when you’re prompted to log into an account that you’ve enabled for FileVault access. At that stage, you can click a question mark and enter your Recovery Key to reset the password for the account. With iCloud escrow for recovery, you log into your iCloud account.

Macworld reader Ester set up iCloud as the option for their Mac’s FileVault recovery, and now wants to change it. What’s the process for doing this?

It’s tedious, but rightly so. Apple doesn’t allow a way to switch from escrow to personal control. Instead, you have to decrypt your drive, then re-enable FileVault.

  1. In the Security & Privacy system preference pane click the FileVault tab.
  2. Click the lock icon at the lower left and enter an account name and password with administrative access.
  3. Click the Turn Off FileVault button.
  4. Confirm you want to disable FileVault by clicking Restart & Turn Off Encryption.
mac911 disable filevault IDG

Disable FileVault as the first step to changing the Recovery Key.

  1. Your Mac now restarts and after you log back in and it starts up, it begins decrypting the entire contents of the drive. This can take a while.
  2. When it’s completed, you’ll be able to return to the FileVault tab and click Turn On FileVault.
  3. At the Recovery Key prompt, choose Create a Recovery Key and Do Not Use My iCloud Account.
  4. Write that key down or otherwise make a permanent record of it!
  5. Once again, you’ll restart and after your Mac is back up and running, it begins encrypting everything on the drive.

This is the same process to use, by the way, if you lose your Recovery Key.

Ask Mac 911

We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate, and whether you want your full name used. Every question won’t be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.

  
Shop Tech Products at Amazon