What to do when FileVault won't turn on
After a recent inexplicable problem on my MacBook, in which macOS would complete loading but never get past the blank screen before the Desktop appeared, I had to revert to a clone. (Even reinstalling macOS didn’t work.) I then upgraded to Mojave. Somewhere in there, an important piece of macOS “fell out,” metaphorically.
Apple added the concept in 10.13 High Sierra of a “secure token” to the first account created in macOS on installation or after upgrade as part of the process that allows you to use FileVault. There’s almost no information about this feature, and there’s no way to determine from macOS’s graphical features whether an account has it set.
But if you’re missing a secure token on all your accounts, there’s no way to obtain one, and you won’t be able to turn on FileVault. That’s the situation I find myself in—and I found plenty of others in the same boat.
I went down this rabbit hole by trying to re-enable FileVault after I got my MacBook restored and up to date:
- Open the Security & Privacy system preference pane.
- Click the FileVault tab.
- Click the lock icon in the lower-left corner and enter an administrative account and password.
- Click Turn On FileVault.
What should happen after step 4 is that either macOS presents a dialog that guides you to proceed, or an error message appears explaining (sometimes obscurely) why you can’t.
In my case, and that of other people who have shared the same experience on internet forums, there’s no interaction at all. Clicking the button doesn’t result in any action.
At this point, you can “interrogate” macOS via Terminal (in Applications > Utilities). First, you need to know the Unix account name of your macOS account. If you don’t know what that is, follow these steps first:
- Open the Users & Groups pane.
- Click the lock icon in the lower-left corner and enter an administrative account and password.
- Control-click your account name in the account list and choose Advanced Options.
- The Account Name is your Unix account’s short name.
Now, with that name in hand, follow these steps:
- Open Applications > Utilities > Terminal.
- At a terminal prompt copy and paste the following, replacing
accountnamewith the Unix account name you found above, and press Return:
sudo sysadminctl -secureTokenStatus accountname - When prompted, enter your account password.
If you’re having the same problem as me, the response will be:
sysadminctl[...] Secure token is DISABLED for user Full Name
(Your account name will appear instead of Full Name.)
From all my reading and testing, there’s no way to enable a secure token. I tried one method suggested that allows you to re-run the initial macOS setup without erasing your system, and created a new administrative account that should ostensibly receive a secure token grant. It didn’t work.
There are also articles explaining how to grant yourself temporary secure access and use that to assign it to another account—it also didn’t work in Mojave.
I also tried a method of having an administrative account set access, which failed in Mojave and High Sierra. The full error message is rather long:
setSecureTokenAuthorizationEnabled error Error Domain=com.apple.OpenDirectory Code=5101 "Authentication server refused operation because the current credentials are not authorized for the requested operation." UserInfo={NSLocalizedDescription=Authentication server refused operation because the current credentials are not authorized for the requested operation., NSLocalizedFailureReason=Authentication server refused operation because the current credentials are not authorized for the requested operation.
I haven’t yet tried the next option, which is to reinstall macOS. My recent reinstallation is too fresh in memory and currently stable. And some people have reported even that didn’t work for them, so I’m not sure it’s the best path forward.
There’s a nuclear option, which is to make a full backup, wipe your Mac, and install macOS from scratch. Then use Migration Assistant to restore your files. (If you use a clone to restore, it overwrites the account information, and thus erases the newly created secure token, too.)
If you’ve found a better way to solve this problem, write us at mac911@macworld.com, and we’ll update this article with more details.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate, and whether you want your full name used. Every question won’t be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.