Apple originally introduced FileVault to bring full-disk encryption (FDE) protection to macOS. FDE ensures that your entire startup volume is locked away when macOS is shut down (not just sleeping) by setting an encryption key for the volume. FileVault locks that key away, pairing it with an account on your Mac that’s authorized to log in after a full shutdown. Without that key, there’s no effective way to bring that computer to life.
Starting with Intel Mac models with a T2 Security Chip, your startup volume is always encrypted for FileVault no longer performs that task. That’s also the case for all M-series Macs. With those models, FileVault just protects the volume’s encryption key, a critical-enough feature. (With a hardware-encrypted volume and FileVault disabled, there’s a potential opening for a malicious party who obtains your computer while it’s powered up to access your stored files.)
If you have FileVault enabled with any Mac model, you can get locked out of your drive forever in certain cases if you haven’t taken a preventative step. You might not use a Mac for a while and forget the password for any of its authorized FileVault accounts. And, based on some emails I’ve received, account management can sometimes go wrong and macOS Recovery—used both for “cold start” logins to macOS after a full shut down and to diagnose problems on your startup volume—demands a login where the correct password fails to let you in.
In those cases, the recovery key set by macOS at the time you turned on FileVault on your Mac can do the trick. But if enough time has passed, you might have forgotten where you stashed the key or how to retrieve it. Macworld reader Elaina fell into that camp. She couldn’t find the key, and she remembered using the iCloud option to store it, but has examined iCloud Drive and couldn’t find it. She’s concerned that she could wind up locked out and be unable to obtain the Recovery Key.
This is a problem with security options on systems reliable enough that you don’t have to work with them regularly to refresh your memory. Touch ID and Face ID in iOS and iPadOS and Touch ID in macOS require that you re-enter the device passcode or password at least every six days so you don’t forget them.
When you first set up FileVault, one of the steps asks you whether you want to use your iCloud account as a way to unlock your disk and reset your macOS account password if you can’t find your recovery key. (In Monterey and earlier, go to > System Preferences > Security & Privacy > FileVault; in Ventura or later, go to > System Settings > Privacy & Security and scroll down to the FileVault section.)
You can opt to store your recovery key as part of your iCloud account for password resets.
If you choose iCloud, the recovery key isn’t stored loosely in iCloud Drive or as a file. Instead, it’s tied into behind-the-scenes account information that Apple maintains. It’s fully encrypted in such a way that even Apple doesn’t have access to the unencrypted recovery key data, but Apple can deliver the encrypted recovery key to your Mac if you need to reset your password. You never see the recovery key nor have to enter it in this configuration. (The process is a little involved: Apple describes it in the section “Reset using the Reset Password assistant (FileVault must be on)” in this support document.)
If you choose the other path, where FileVault generates a recovery key and displays it, you need to make sure and write it down or enter it electronically and store it securely in such a way that you’ll have access even when your Mac can’t be booted. I use 1Password’s secure notes for this purpose, but any method of storage that’s reliable, secure, and accessible will work.
A good strategy would be to set a quarterly reminder to look for your recovery key (and other important passwords and keys you have to store in the same place). If you can’t find it, disable FileVault in macOS and re-enable it. On Intel models without a T2 Security Chip, this will take a while, as the entire drive is decrypted and then re-encrypted; on T2 Intel models and M-series, the process takes seconds. With any model of Mac, macOS generates an entirely new recovery key, which you can then more carefully note again.
With each of the above situations, if you can’t log into iCloud or you lose the recovery key, your Mac’s files are irretrievable forever, as I wrote about last year.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate, and whether you want your full name used. Every question won’t be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.
