Home > Apple File System, FileVault 2, Mac administration, macOS, macOS Recovery, Secure Token > Unable to enable FileVault on macOS Mojave

Unable to enable FileVault on macOS Mojave

As part of FileVault on Apple File System, Apple introduced a new account attribute called Secure Token. Secure Token can present some interesting complications for Mac admins and among them is this scenario:

“The laptop is decrypted, but we can’t re-enable FileVault now.”

Usually, this happens because the account password was changed outside of the Users & Groups preference pane in System Preferences and now Secure Token and the account password are out of sync with each other.

Up until today, the only fix I knew of for that situation was to back up the data and wipe the drive. However, it looks like there is a workaround that fixes the password problem and sorts out the Secure Token attribute for the account on a decrypted laptop. For more details, please see below the jump.

To fix the account, the resetFileVaultpassword tool needs to be run from macOS Recovery. To access this tool, use the following procedure:

1. Boot to macOS Recovery.

Screen Shot 2019 02 08 at 3 45 13 PM

2. Under the Utilities menu, select Terminal.

Screen Shot 2019 02 08 at 3 45 25 PM

3. In Terminal, enter the following command and hit Enter.


Screen Shot 2019 02 08 at 3 53 01 PM

This will launch a Reset Password window behind the Terminal window.

Screen Shot 2019 02 08 at 3 46 03 PM

If you just have one account on the Mac (which is likely if you find yourself in this scenario) the account should automatically be selected.

4. Enter a new password and verify it, then click the Next button.

Screen Shot 2019 02 08 at 3 54 27 PM

5. When prompted, click the Restart button.

Screen Shot 2019 02 08 at 3 54 42 PM

As part of the password reset process, the resetFileVaultpassword tool also resyncs the Secure Token attribute for the account. That should allow FileVault to work normally again.

Note: If you have multiple accounts on this Mac, the Reset Password tool requires all accounts’ passwords to be changed.

Screen Shot 2019 02 08 at 3 46 18 PM

Following the reboot, you should now be able to enable FileVault on this Mac.

Screen Shot 2019 02 08 at 4 01 03 PM

Screen Shot 2019 02 08 at 4 01 23 PM

Screen Shot 2019 02 08 at 4 09 33 PM

Thanks to the folks in the #security channel in the MacAdmins Slack for identifying and testing this workaround.

  1. johnelamb
    February 8, 2019 at 10:18 pm

    Confirmed this works in 10.13.6 as well. Thanks!

  2. defiler
    February 12, 2019 at 8:27 pm

    hey, thanks! doesn’t work with mobile accounts i suggest?

  3. Charles
    May 25, 2019 at 8:11 pm

    Thank you! This worked perfectly. During a setup of a new laptop the original user was replaced with a new one, once I attempted to activate FileVault a server error or a failed to convert user error message appeared, this solution saved me from having to wipe the drive and start from scratch, cheers !

  4. tokenizer
    June 22, 2019 at 11:25 pm

    Thanks! This was the only thing that worked for me, including removing .AppleSetupDone to attempt to run SetupAssistant and create a new user admin account with the token. Apparently that trick had been used once before and now SetupAssistant just goes to “Setting up your Mac…” instead of the Create User Account workflow. (I tried removing Receipts, plists and caches with no luck either) One small caveat with resetFileVaultpassword is that if you have existing user’s with SecureTokens (that may have out of sync passwords and not be usable), it’ll force you to try to authorize with those users instead, and then fail to add the SecureToken to the reset account (Failed to Add User / Failed to convert user). The workaround for this was to remove the ;SecureToken; attribute from the AuthenticationAuthority of any users that have it by using either dscl or Directory Utility and then re-attempt resetFileVaultpassword at which point it will prompt you to reset ALL users passwords and add the SecureToken attribute. As a fun aside, if you add the ;SecureToken; attribute manually to a user, sysadminctl -secureTokenStatus will report that Secure token is ENABLED, but they still won’t be able to use FileVault. Lastly, I’ll mention that manually adding a Configuration profile that forced FV2 enabled hoping to get a SecureToken for the enabling user also did not work and clicking “Turn on FileVault…” would do nothing.

  5. aitraja
    September 22, 2020 at 4:42 am

    Its worked for me….I have tried may way but couldn’t succeeded….but it helped me a lot Thank you

  6. Zelxos
    October 12, 2020 at 8:47 pm

    Thanks so much! I’ve encountered this issue before and never been able to resolve, so simple when you know how, thank you for taking the time to post!

  7. October 20, 2020 at 8:23 pm

    So, if both my admin accounts are numbered below 500 and the user has a mobile account authenticated against our OD server, I can’t seem to get this to work.

    The MBPr was previously running Mojave and secured w/FV2. I wiped the drive before sending it out for a screen replacement, then again before placing it back into service, but even though I’ve used the same workflow successfully to create other systems that I’m able to secure, this one won’t let me.

    Do I need to backup, rebuild, enable FV2, then migrate the user account back?



  8. Mark O'H
    January 23, 2021 at 12:05 am

    I have a similar issue after migrating from Big Sur on an old MBP to a new M1 MBA. I am able to do most general activities such as running applications and installing new programs However, I get the error in trying to turn on FileVault.

    I am also having issues with unlocking some panes in Privacy and Security in System Preferences. When prompted for my password the dialog box shakes to reject the password, even though I’ve confirmed Caps Locks is off and the password is typed correctly. I’ve quadruple checked. Interestingly, where it is allowed, I can unlock these preference panes with my Apple Watch, even after it rejects my typed password I have a hunch this is all related to the same token issue as not being able to turn on FileVault.

    I followed the procedure in the above article. However after resetting my password, I get the following error: “Could not verify credentials because directory server does not support the requested authentication method.” I exited and restarted the computer and am at the same point as before.

    Any suggestions would be appreciated. Thanks!

    • Bock
      April 15, 2021 at 2:55 pm

      I have the same issue, as macwiz.
      Can’t set SecureToken on M1 macbook… Reset password doesn’t help 😦

      • June 9, 2021 at 10:11 am

        Same as above. I’m not trying to enable filevault, rather enable booting from an external drive, but without the token, the startup security util wont accept that there is an admin account on the Mac….. Mac Mini 2018

      • Bock
        June 9, 2021 at 2:46 pm

        So helps only do backup by timemachine, clean install with enabling ecryption, start with new admin user and then start migrate assistant.

      • June 9, 2021 at 2:54 pm

        Thanks.. will get to it….

  9. Arthur Goldberg
    February 27, 2021 at 6:08 pm

    I find that Reset Password fails with a “Could not verify credentials because directory server does not support the requested authentication method.” error. How should I address that?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: