Unable to enable FileVault on macOS Mojave
As part of FileVault on Apple File System, Apple introduced a new account attribute called Secure Token. Secure Token can present some interesting complications for Mac admins and among them is this scenario:
“The laptop is decrypted, but we can’t re-enable FileVault now.”
Usually, this happens because the account password was changed outside of the Users & Groups preference pane in System Preferences and now Secure Token and the account password are out of sync with each other.
Up until today, the only fix I knew of for that situation was to back up the data and wipe the drive. However, it looks like there is a workaround that fixes the password problem and sorts out the Secure Token attribute for the account on a decrypted laptop. For more details, please see below the jump.
To fix the account, the resetFileVaultpassword tool needs to be run from macOS Recovery. To access this tool, use the following procedure:
2. Under the Utilities menu, select Terminal.
3. In Terminal, enter the following command and hit Enter.
resetFileVaultpassword
This will launch a Reset Password window behind the Terminal window.
If you just have one account on the Mac (which is likely if you find yourself in this scenario) the account should automatically be selected.
4. Enter a new password and verify it, then click the Next button.
5. When prompted, click the Restart button.
As part of the password reset process, the resetFileVaultpassword tool also resyncs the Secure Token attribute for the account. That should allow FileVault to work normally again.
Note: If you have multiple accounts on this Mac, the Reset Password tool requires all accounts’ passwords to be changed.
Following the reboot, you should now be able to enable FileVault on this Mac.
Thanks to the folks in the #security channel in the MacAdmins Slack for identifying and testing this workaround.
Leave a comment
Recent Comments
 | Ben LeRoy on Losing a giant |
 | Peter-Erik on Downloading installer packages… |
 | nathanhaggard on Losing a giant |
 | andras0602 on Disabling login window clock d… |
 | Jeff on Losing a giant |
Der Flounder 
Confirmed this works in 10.13.6 as well. Thanks!
hey, thanks! doesn’t work with mobile accounts i suggest?
Thank you! This worked perfectly. During a setup of a new laptop the original user was replaced with a new one, once I attempted to activate FileVault a server error or a failed to convert user error message appeared, this solution saved me from having to wipe the drive and start from scratch, cheers !
Thanks! This was the only thing that worked for me, including removing .AppleSetupDone to attempt to run SetupAssistant and create a new user admin account with the token. Apparently that trick had been used once before and now SetupAssistant just goes to “Setting up your Mac…” instead of the Create User Account workflow. (I tried removing Receipts, plists and caches with no luck either) One small caveat with resetFileVaultpassword is that if you have existing user’s with SecureTokens (that may have out of sync passwords and not be usable), it’ll force you to try to authorize with those users instead, and then fail to add the SecureToken to the reset account (Failed to Add User / Failed to convert user). The workaround for this was to remove the ;SecureToken; attribute from the AuthenticationAuthority of any users that have it by using either dscl or Directory Utility and then re-attempt resetFileVaultpassword at which point it will prompt you to reset ALL users passwords and add the SecureToken attribute. As a fun aside, if you add the ;SecureToken; attribute manually to a user, sysadminctl -secureTokenStatus will report that Secure token is ENABLED, but they still won’t be able to use FileVault. Lastly, I’ll mention that manually adding a Configuration profile that forced FV2 enabled hoping to get a SecureToken for the enabling user also did not work and clicking “Turn on FileVault…” would do nothing.
Its worked for me….I have tried may way but couldn’t succeeded….but it helped me a lot Thank you
Thanks so much! I’ve encountered this issue before and never been able to resolve, so simple when you know how, thank you for taking the time to post!
So, if both my admin accounts are numbered below 500 and the user has a mobile account authenticated against our OD server, I can’t seem to get this to work.
The MBPr was previously running Mojave and secured w/FV2. I wiped the drive before sending it out for a screen replacement, then again before placing it back into service, but even though I’ve used the same workflow successfully to create other systems that I’m able to secure, this one won’t let me.
Do I need to backup, rebuild, enable FV2, then migrate the user account back?
Thanks.
Cheers,
Jon
I have a similar issue after migrating from Big Sur on an old MBP to a new M1 MBA. I am able to do most general activities such as running applications and installing new programs However, I get the error in trying to turn on FileVault.
I am also having issues with unlocking some panes in Privacy and Security in System Preferences. When prompted for my password the dialog box shakes to reject the password, even though I’ve confirmed Caps Locks is off and the password is typed correctly. I’ve quadruple checked. Interestingly, where it is allowed, I can unlock these preference panes with my Apple Watch, even after it rejects my typed password I have a hunch this is all related to the same token issue as not being able to turn on FileVault.
I followed the procedure in the above article. However after resetting my password, I get the following error: “Could not verify credentials because directory server does not support the requested authentication method.” I exited and restarted the computer and am at the same point as before.
Any suggestions would be appreciated. Thanks!
I have the same issue, as macwiz.
Can’t set SecureToken on M1 macbook… Reset password doesn’t help 😦
Same as above. I’m not trying to enable filevault, rather enable booting from an external drive, but without the token, the startup security util wont accept that there is an admin account on the Mac….. Mac Mini 2018
So helps only do backup by timemachine, clean install with enabling ecryption, start with new admin user and then start migrate assistant.
Thanks.. will get to it….
I find that Reset Password fails with a “Could not verify credentials because directory server does not support the requested authentication method.” error. How should I address that?