FileVault hardens macOS by wrapping a layer of login protection around your data. When FileVault is enabled, the data on your startup drive is not immediately available, with just a password between an attacker and your files. That’s a dangerous situation if someone has physical access to your computer—either in your home or office or they’ve stolen it—because there are known and not-yet-discovered methods by which an attacker could try to mount the drive and read files.

FileVault on all Macs puts an additional bar in place: your drive is encrypted and its files unavailable until there’s been a successful macOS login. At that point, the Mac enters into its normal operation mode. (With Intel Macs with a T2 Security Chip and on all M1 Apple silicon Macs, the drive’s contents are always encrypted, but the drive is mounted at startup without an additional step if you haven’t enabled FileVault. Read our explanation from last year about how T2 and M1 Macs interact with FileVault.)

The strong security FileVault offers can also be a problem. Suppose you forget your password (unlikely, I hope!). Or something in macOS breaks or is corrupted in the account login process or files (unlikely, but it happens). In those cases, you may be unable to gain access without knowing your Recovery Key or if you are able to log into iCloud to retrieve a version Apple holds in escrow for you. (If you can’t immediately find your Recovery Key or remember whether you chose the iCloud escrow option, read “Is your macOS FileVault Recovery Key current? Here’s how to check.”)

Apple relies on the FileVault Recovery Key to let you regain access to your Mac or to reset your account password when you’ve forgotten it. Unfortunately, the company doesn’t provide a single set of straightforward instructions for how this works in a single place for the multiple cases you might encounter. Here’s what to do.

Recover via login window

First, start up your Mac if it’s powered down. (If you’re trying to reset the password and your Mac is booted and logged in, choose  > Restart.)

The question mark is your key to unlocking a Mac that’s protected by FileVault.

Next, at the login screen click your account icon:

In Catalina and later, a password field appears with a question mark (?) at the far right. Click the question mark. Some lengthy text appears that starts “If you forgot your password you can…”

In Mojave and earlier, you have to enter your password incorrectly three times before a prompt appears.

Now, depending on your choice in setting up FileVault, you will see one of several options (the text may vary in Mojave and earlier releases of macOS):

iCloud escrow: If you chose to store your key in iCloud during FileVault setup, the sentence above continues, ellipsis and all, “…reset it using your Apple ID.” Click the right-pointing arrow and follow the steps provided to log into the iCloud account associated with this Mac. This will recover your key, unlock the drive, and let you reset your account password.

If you chose to store your key in iCloud during FileVault setup, the sentence above continues, ellipsis and all, “…reset it using your Apple ID.” Click the right-pointing arrow and follow the steps provided to log into the iCloud account associated with this Mac. This will recover your key, unlock the drive, and let you reset your account password. You kept the Recovery Key: If you opted to write down the Recovery Key, the text will continue “…reset it using your Recovery Key.” Click the right-pointing arrow and then enter your Recovery Key, omitting hyphens—macOS adds the hyphens automatically. When correctly entered, your drive is unlocked, and you can reset your account password.

Apple notes that—in some cases that the company doesn’t define—you might see the text “Restart and show password reset options.” If so, click the right-pointing triangle. After your Mac restarts, you’ll be asked for either an Apple ID login or your Recovery Key as above. Instead of first selecting a user and then entering that information, in this mode you enter your recovery details first and then select the user for which you’re resetting the password to regain access.

If none of the above works, you can try using macOS Recovery.

Recover via macOS Recovery

The Reset Password assistant is one of the last resorts to resetting a password with FileVault enabled.

The process differs by processor. With an Intel Mac:

Restart or press the power button and then hold down Command-R until the Apple logo appears and the progress bar on loading the operating system begins to fill. When the macOS Recovery screen appears, choose Utilities > Terminal. Enter the text resetpassword and press return. macOS Recovery launches the special Reset Password assistant. Select the option “My password doesn’t work when logging in” and click Next, then follow the remaining steps.

With an M1 Mac, the steps are a little more involved:

Shut down the Mac if active. Hold down the power button to start up and continue holding it until you see the message “Loading startup options.” That takes about 10 seconds. Release the power button. Click the Options icon. If presented with a list of accounts you can use to log in to access macOS Recovery, click “Forgot all passwords?” You may also or instead be able to use your Apple ID to log in. When the macOS Recovery screen appears, choose Utilities > Terminal. Enter the text resetpassword and press return. macOS Recovery launches the special Reset Password assistant. Select the option “My password doesn’t work when logging in” and click Next, then follow the remaining steps.

This Mac 911 article is in response to a question submitted by Macworld reader Julio.

