How to make FileVault work again when you’re missing a 'secure token'

A long-running problem appears to have a solution.

filevault icon apple

Today's Best Tech Deals

Picked by Macworld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

Several months ago, we posted a column called “What to do when FileVault won’t turn on,” which offered a set of strategies when you couldn’t get macOS to let you enable FileVault, Apple’s full-disk encryption (FDE) technology. These worked for some people who have followed up with us. The most severe of the scenarios was the “nuclear option,” which required a full backup or clone of your Mac, erase the drive, reinstalling macOS, and restoring your previous files. This would always re-enable the FileVault capability, but it’s a big investment of time and effort.

I’d put off carrying it out on my MacBook, which had this problem, hoping another alternative would emerge. Fortunately, Rich Trouton has a solution at his Der Flounder site, where he often provides inside into tricky or unsolvable disk-formatting and encryption issues. (Thanks also to reader Christophe for alerting me to Trouton’s update.)

There’s a process far shy of nuclear that worked for me and others who have tried it. As I noted in the original article, Apple added the concept of a “secure token” on top of FileVault to ensure that only macOS accounts with the right level of permission can initiate a FileVault encryption conversion and have access to it. In some cases, such as with my laptop, the secure token would be dropped from all accounts, making FileVault encryption impossible.

Before starting, check that FileVault still can’t be enabled (via steps 6, 7, and 8 below). My iMac also lacked a secure token and FileVault wasn’t an option months ago. One of the incremental Mojave updates must have taken care of it, as it’s now available and working.

Trouton’s solution—for which he thanks the excellent MacAdmins group for “identifying and testing”—involves resetting the password for all existing accounts through a Terminal command initiated in macOS Recovery. It’s not hard to do, even though it sounds convoluted:

  1. Restart your Mac and hold down Command-R to start up in macOS Recovery.
  2. From the Utilities menu, select Terminal.
  3. Enter the command resetFileVaultpassword and press return. It may take a moment for a dialog box to appear.
  4. In the Reset Password dialog box, set a password for every macOS account; the display is a little different if you have a single account or multiple accounts on the machine. You can even re-enter the current password, which counts as “resetting” it.
  5. When you’ve completed changing the only or all passwords, you can click Restart for a single account or Next for multiple accounts.
  6. After macOS starts up, open the Security & Privacy preference pane, and click the FileVault tab.
  7. Click the lock at the lower-left corner of the pane and enter your administrative password.
  8. The Turn On FileVault button should now be available to click. Click it and follow the normal procedure for enabling FileVault.

I discovered in my testing that while all the above worked correctly and the secure token was re-enabled, the FileVault progress bar said encryption was “paused.” However, after restarting my Mac manually, I used the Terminal command fdesetup status, which reveals the current percentage completion of FileVault’s conversion, and it was both greater than zero and growing as I checked it over time. Eventually, the preference pane began to show progress and provide an estimate of time remaining.

This Mac 911 article appears thanks to information submitted by Macworld reader Christophe.

Ask Mac 911

We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to including screen captures as appropriate, and whether you want your full name used. Every question won’t be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.

Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read our affiliate link policy for more details.
Shop Tech Products at Amazon