Home > Apple File System, FileVault 2, Mac administration, macOS, macOS Recovery, Secure Token > Unable to enable FileVault on macOS Mojave

Unable to enable FileVault on macOS Mojave

As part of FileVault on Apple File System, Apple introduced a new account attribute called Secure Token. Secure Token can present some interesting complications for Mac admins and among them is this scenario:

“The laptop is decrypted, but we can’t re-enable FileVault now.”

Usually, this happens because the account password was changed outside of the Users & Groups preference pane in System Preferences and now Secure Token and the account password are out of sync with each other.

Up until today, the only fix I knew of for that situation was to back up the data and wipe the drive. However, it looks like there is a workaround that fixes the password problem and sorts out the Secure Token attribute for the account on a decrypted laptop. For more details, please see below the jump.

To fix the account, the resetFileVaultpassword tool needs to be run from macOS Recovery. To access this tool, use the following procedure:

1. Boot to macOS Recovery.

Screen Shot 2019 02 08 at 3 45 13 PM

2. Under the Utilities menu, select Terminal.

Screen Shot 2019 02 08 at 3 45 25 PM

3. In Terminal, enter the following command and hit Enter.

resetFileVaultpassword

Screen Shot 2019 02 08 at 3 53 01 PM

This will launch a Reset Password window behind the Terminal window.

Screen Shot 2019 02 08 at 3 46 03 PM

If you just have one account on the Mac (which is likely if you find yourself in this scenario) the account should automatically be selected.

4. Enter a new password and verify it, then click the Next button.

Screen Shot 2019 02 08 at 3 54 27 PM

5. When prompted, click the Restart button.

Screen Shot 2019 02 08 at 3 54 42 PM

As part of the password reset process, the resetFileVaultpassword tool also resyncs the Secure Token attribute for the account. That should allow FileVault to work normally again.

Note: If you have multiple accounts on this Mac, the Reset Password tool requires all accounts’ passwords to be changed.

Screen Shot 2019 02 08 at 3 46 18 PM

Following the reboot, you should now be able to enable FileVault on this Mac.

Screen Shot 2019 02 08 at 4 01 03 PM

Screen Shot 2019 02 08 at 4 01 23 PM

Screen Shot 2019 02 08 at 4 09 33 PM

Thanks to the folks in the #security channel in the MacAdmins Slack for identifying and testing this workaround.

  1. johnelamb
    February 8, 2019 at 10:18 pm

    Confirmed this works in 10.13.6 as well. Thanks!

  2. defiler
    February 12, 2019 at 8:27 pm

    hey, thanks! doesn’t work with mobile accounts i suggest?

  3. Charles
    May 25, 2019 at 8:11 pm

    Thank you! This worked perfectly. During a setup of a new laptop the original user was replaced with a new one, once I attempted to activate FileVault a server error or a failed to convert user error message appeared, this solution saved me from having to wipe the drive and start from scratch, cheers !

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: