FileVault is an excellent tool to protect your Mac’s drive when it’s shut down. When FileVault is active, someone powering up your machine cannot gain access through any means to the encrypted data on your startup volume without knowing the password of one of your accounts.
(FileVault also enables full-disk encryption on Intel Macs without a T2 Security Chip. All T2-equipped Macs starting in 2017 and all M1 Apple silicon Macs have FDE always enabled.)
When you turn on FileVault, macOS prompts you about a critical backup element, the FileVault Recovery key. You can choose to store it in escrow and securely via iCloud. Then you just need your iCloud account, password, and second-factor (like a trusted device) to regain access if you ever find yourself locked out of your Mac, where an account password ceases to work.
But you can also opt to track the Recovery Key yourself, as I describe in this column from 2018. However, a reader asked a question that can result if you disable and re-enable FileVault—which takes just seconds with a T2-equipped or M1 Mac—or migrate to a new Mac. This might leave you with multiple Recovery Keys you’ve noted over time.
If you haven’t carefully tracked your Recovery Key, you could wind up being unsure which is accurate for your current Mac and FileVault encryption setup. There’s fortunately an easy way to check.
- Launch Applications > Utilities > Terminal.
- Type exactly the follow and press return:
sudo fdesetup validaterecovery
- The
sudo
command warns you about the dangers of this “superuser” mode if it’s the first time you’ve used. Enter your password (you must be using an administrator account), and press Return. - At the “Enter the current recovery key:” prompt type or paste in the Recovery Key and press Return.
You will see true
if the Recovery Key the current key; false
if not. If you get the latter and you typed rather than pasted in your Recovery, consider you might have mistyped it and try again.
If you didn’t enter the key in exactly the format that they’re provided in, the app will note “Error: not a valid recovery key.” Try re-entering.
If none of your keys prove valid, you should immediately disable and re-enable FileVault, following the instructions in this column under the heading, “No record of Recovery Key.”
Apple
This Mac 911 article is in response to a question submitted by Macworld reader Austé.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate, and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.