CLICK TO SHARE
Several months ago, we posted a column called “What to do when FileVault won’t turn on,” which offered a set of strategies when you couldn’t get macOS to let you enable FileVault, Apple’s full-disk encryption (FDE) technology. These worked for some people who have followed up with us. The most severe of the scenarios was the “nuclear option,” which required a full backup or clone of your Mac, erase the drive, reinstalling macOS, and restoring your previous files. This would always re-enable the FileVault capability, but it’s a big investment of time and effort.
I’d put off carrying it out on my MacBook, which had this problem, hoping another alternative would emerge. Fortunately, Rich Trouton has a solution at his Der Flounder site, where he often provides inside into tricky or unsolvable disk-formatting and encryption issues. (Thanks also to reader Christophe for alerting me to Trouton’s update.)
There’s a process far shy of nuclear that worked for me and others who have tried it. As I noted in the original article, Apple added the concept of a “secure token” on top of FileVault to ensure that only macOS accounts with the right level of permission can initiate a FileVault encryption conversion and have access to it. In some cases, such as with my laptop, the secure token would be dropped from all accounts, making FileVault encryption impossible.
Before starting, check that FileVault still can’t be enabled (via steps 6, 7, and 8 below). My iMac also lacked a secure token and FileVault wasn’t an option months ago. One of the incremental Mojave updates must have taken care of it, as it’s now available and working.
Trouton’s solution—for which he thanks the excellent MacAdmins group for “identifying and testing”—involves resetting the password for all existing accounts through a Terminal command initiated in macOS Recovery. It’s not hard to do, even though it sounds convoluted:
Post a comment.
CLICK TO SHARE