FileVault is Apple’s way of encrypting data on Mac devices and macOS. When activated, this feature encrypts all your data on the startup disk. This way, your files will be protected from unauthorized access. The only drawback is that it forces users to enter their login credentials after waking from a screensaver or sleep to enable the encryption.
FileVault was first introduced in macOS X Panther, but it was a bit shaky then. Thankfully, the feature got some significant improvements with the release of macOS X Lion. And recently, Apple added a Secure Token on top of FileVault. It means that all Mac users with a Secure Token are now automatically added as FileVault users when activating FileVault.
The Introduction of “Secure Token” on Top of FileVault
Apple introduced the concept of a Secure Token on top of FileVault with the release of macOS High Sierra. The main purpose is to restrict FileVault encryption conversations and access to only Mac accounts with the appropriate permission.
Here is how the Secure Token feature works:
- The initial user account you create the first time on a new Mac has a Secure Token.
- All users with sysadminctl have a Secure Token.
- Any user account generated with the Users & groups option of the System Preferences has a Secure Token.
- All Active Directory users do not have a Secure Token.
- Any user created with dscl doesn’t have a Secure Token.
- Only users with a Secure Token have permission to activate and deactivate FileVault encryption.
FileVault Problems on Mac
The main challenge, however, is that if no account on your Mac has a Secure Token, it means that the profile cannot enable FileVault.
Some users have complained of experiencing this nightmarish scenario. FileVault operations, such as, migrating, enabling, and adding users, failed on macOS High Sierra and later versions if users did not have a Secure Token enabled for their account.
This issue, amongst many other FileVault problems on Mac, has raised a lot of concern about the value of adding a “Secure Token” on top of FileVault. If you are uninitiated, you are probably asking yourself what does missing a ‘Secure Token’ mean.
So, What Does Missing a ‘Secure Token’ Mean?
With all fairness, a Secure Token keeps your files and system safe. It is a new and undocumented account attribute in macOS. This Secure Token should be added to the first admin account to login into a Mac. Once this account has a Secure Token attribute linked to it, you can create other user accounts, which will be granted their own Security Token.
Unfortunately, user accounts created through conventional, remote command-line tools and Active Directory mobile accounts do not automatically get Secure Token attributes. So, without a Secure Token, these accounts will not be able to activate FileVault. Now, the question is: How do you make FileVault work again if you’re missing a ‘Secure Token’? Do not worry. We will try to resolve this problem in the next section.
How to Make FileVault Work Again Without a ‘Secure Token’?
As mentioned above, user accounts must be created locally to be able to get a ‘Secure Token’ assigned to them. Nevertheless, you can still activate FileVault even if you are missing a Secure Token.
Before you try anything else, check if FileVault can’t be enabled. Some users who couldn’t enable FileVault because of missing a Secure Token later found out that they could do so. Perhaps the issue was taken care of by one of the macOS cumulative updates. For instance, the Security Update 2019-003 for Sierra and High Sierra resolved an issue with the user account login credentials reset in FileVault.
If you still have issues enabling FileVault, then you can try resetting the password for all your current accounts via a Terminal command. Here is how to do it:
- First, you need to restart your computer, then open macOS Recovery by pressing the Command + R keyboard combination.
- Now, navigate to the Utilities menu and tap on Terminal.
- Next, type the command “resetFileVaultpassword” into the Terminal window and hit Return.
- The Reset Password dialog box will appear after a few seconds. So, you need to set a new password for each of your user accounts. Please note that you can use your current password, if that is okay with you.
- Once you are through with changing the password for one of your accounts, press Next to move on to the next account; otherwise, click Restart if you only have one account.
- Wait for your Mac to boot, then go to the Security Privacy preference pane and navigate to the FileVault tab.
- Look for the lock in the lower-left corner of the pane and enter your administrative password.
- After that, tap on the “Turn On FileVault” button to enable FileVault.
That is it. Your FileVault encryption should be working normally again. Besides securing your system by enabling FileVault, consider cleaning and repairing damaged sections of your Mac to improve its overall performance. A tool like Outbyte MacRepair can help you automate this task.
FileVault is a useful feature on macOS that we highly recommend. It leverages the power and efficiency of modern CPUs and utilizes the latest encryption algorithms to secure the entire content of the startup disk. Challenges only arise when you cannot enable the feature because of missing a Secure Token. Fortunately, you can resolve the problem by resetting your password through a Terminal command initiated macOS Recovery.
We hope that our recommended solution helped you make your FileVault work again. Let us know how it goes in the comments section.