FileVault is an excellent tool to protect your Mac’s drive when it’s shut down. When FileVault is active, someone powering up your machine cannot gain access through any means to the encrypted data on your startup volume without knowing the password of one of your accounts.
(FileVault also enables full-disk encryption on Intel Macs without a T2 Security Chip. All T2-equipped Macs starting in 2017 and all M1 Apple silicon Macs have FDE always enabled.)
When you turn on FileVault, macOS prompts you about a critical backup element, the FileVault Recovery key. You can choose to store it in escrow and securely via iCloud. Then you just need your iCloud account, password, and second-factor (like a trusted device) to regain access if you ever find yourself locked out of your Mac, where an account password ceases to work.
But you can also opt to track the Recovery Key yourself, as I describe inthis column from 2018. However, a reader asked a question that can result if you disable and re-enable FileVault—which takes just seconds with a T2-equipped or M1 Mac—or migrate to a new Mac. This might leave you with multiple Recovery Keys you’ve noted over time.
If you haven’t carefully tracked your Recovery Key, you could wind up being unsure which is accurate for your current Mac and FileVault encryption setup. There’s fortunately an easy way to check.
Launch Applications > Utilities > Terminal.
Type exactly the follow and press return: sudo fdesetup validaterecovery
The sudo command warns you about the dangers of this “superuser” mode if it’s the first time you’ve used. Enter your password (you must be using an administrator account), and press Return.
At the “Enter the current recovery key:” prompt type or paste in the Recovery Key and press Return.
You will see true if the Recovery Key the current key; false if not. If you get the latter and you typed rather than pasted in your Recovery, consider you might have mistyped it and try again.
If you didn’t enter the key in exactly the format that they’re provided in, the app will note “Error: not a valid recovery key.” Try re-entering.
This Mac 911 article is in response to a question submitted by Macworld reader Austé.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to firstname.lastname@example.org including screen captures as appropriate, and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.