Can’t enable FileVault? An errant set of files may be blocking you

Some users are told that an institutional key has already been set on their Mac, even though they’re not part of an institution at all.

filevault icon apple
Apple

Today's Best Tech Deals

Picked by Macworld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

FileVault is a robust full-disk encryption system that Apple released way back with Mac OS X 10.7 Lion. It encrypts all the data on your disk at rest, so when your Mac is fully shut down, its data is unrecoverable without an approved account’s password or a Recovery Key.

Some readers trying to turn on or disable FileVault have been met with the message:

A recovery key has been set by your company, school or institution.

What perplexes them is that this occurs on a personal Mac, one that has never belonged to a company, school, or institution.

The answer appears to be that two files can remain from previous installations, sometimes apparently when you make a disk clone and restore it to a new Mac. These files confuse macOS into thinking the system is under management, with the disk encryption controlled by an administrator.

However, the problem appears easy enough to solve.

To enable personal FileVault

For most users, it’s a simple process:

  1. In the Finder, choose Go > Go To Folder.
  2. Paste in /Library/Keychains and click Go.
  3. In the folder that appears, remove two files: FileVaultMaster.keychain and FileVaultMaster.cer

You should then be able to proceed.

To switch active, managed FileVault

If FileVault is already enabled, you need to try a command-line solution instead. Launch Terminal and then copy and paste the following commands with a Return at the end. You will be prompted at least once for your administrative password:

sudo fdesetup removerecovery -institutional

sudo fdesetup changerecovery -personal

The second command will produce a fresh Recovery Key, which you must write down or otherwise retain. It’s the only backup option besides an authorized account and password to recover a disk, and often must be used in a pinch. Preserve it as your last line of defense for disk recovery.

This Mac 911 article is in response to a question submitted by Macworld reader Steve.

Ask Mac 911

We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate, and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.

Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read our affiliate link policy for more details.
  
Shop Tech Products at Amazon