The full-disk encryption system called FileVault, introduced way back in Mac OS X 10.7 Lion, keeps the data on your drive encrypted at rest. If your Mac is shut down, a malefactor can’t get at your data—they have to have a password to an account that can start up the system to unlock the encrypted data. That password must be provided when a Mac is booted, and it unlocks a key that in turn unlocks your drive’s data. Otherwise, villains are foiled.
However, FileVault is managed on a per-Mac basis, as it is tied to hardware. If you migrate your data to a new Mac, either through Migration Assistant, restoring from a Time Machine backup, or Disk Utility or third-party cloning software, you can wind up in a state in which macOS thinks FileVault is enabled, but it’s not. The copy or migration is all of unencrypted data, not the underlying encrypted format, because you need the unencrypted data to populate the new computer.
If you no longer own or have erased the Mac that you copied or migrated from, you could have an orphaned Recovery Key stored in iCloud. That shouldn’t be an issue, as each unique installation on macOS on a computer is distinctly identified, and that association is what’s stored in iCloud along with the Recovery Key. Also, only Apple can access the stored Recovery Keys in your account, as they’re placed in an area that not accessible by us users. Whenever FileVault is reset, a new Recovery Key is generated, so old Recovery Keys aren’t a security risk, either, even if Apple doesn’t have a process to delete them.
To get FileVault back up and running on a cloned or migrated Mac, start by checking the state of FileVault in the Security & Privacy preference pane’s FileVault tab. If FileVault is noted as turned off, click the Lock icon in the lower-left corner, enter your password, and then click Turn On FileVault.
If you can’t enable FileVault because macOS states, “A recovery key has been set by your company, school, or institution,” follow the instructions in this Mac 911 column from earlier in the year. The presence of a couple of files set by FileVault in the original Mac’s filesystem can confuse macOS about the state of things.
After that step, or if your Mac isn’t confused about its state, macOS will let you follow the normal procedure for enabling FileVault.
At one of the steps in this process, macOS asks you if you want to “allow my iCloud account to unlock my disk” or if you want to create a Recovery Key you need to make a record of. Because you’re effectively setting up FileVault from scratch, you can make either choice. If you choose to retain the Recovery Key, figure out how you can retain a permanent, accurate copy, potentially in a password-management app that’s synced securely across devices so you have access from a device other than the computer for which the key corresponds.
This Mac 911 article is in response to a question submitted by Macworld reader Karen.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to firstname.lastname@example.org including screen captures as appropriate, and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.