FileVault hardens macOS by wrapping a layer of login protection around the part of the startup volume that holds your files and other data. With FileVault disabled, the data on that volume is effectively just one password away between an attacker and your files. That’s a dangerous situation if someone has physical access to your computer–in your home or office or because they’ve stolen it–they might be able to employ known and not-yet-discovered methods to bypass the login and access the drive’s contents.
FileVault on all Macs puts an additional bar in place: your startup volume (or, as in the case with macOS Catalina and later, the startup data volume) is encrypted and its files are unavailable unless and until there’s been a successful macOS login. Only after the login does macOS enter its normal operation mode. For Intel Macs without a T2 Security Chip, FileVault also encrypts the contents of the startup volume’s data when the computer is powered down. Intel Macs with a T2 Security Chip and on all M1 Apple silicon Macs always encrypt this data. (Read our explanation about how T2 and M1 Macs interact with FileVault.)
The strong security FileVault offers can be a double-edged sword: it may deter attackers with physical access but it could block you, too. Suppose you forget your password (unlikely, I hope!). Or something in macOS breaks or is corrupted in the account login process or files–also unlikely, but judging by reader email, it happens from time to time. In those cases, you may be unable to gain access without possessing a component of the FileVault setup process.
When you enable FileVault, macOS generates a Recovery Key that provides last-ditch access if account-based access fails. You can either retain that key privately or store it securely in iCloud, with Apple holding it in escrow for you. (If you can’t immediately find your Recovery Key or remember whether or not you chose the iCloud escrow option, read, “Is your macOS FileVault Recovery Key current? Here’s how to check.“)
Despite Apple having you rely on the FileVault Recovery Key to let you regain access to your Mac or to reset your account password when you’ve forgotten it, the company doesn’t provide a single set of straightforward instructions in a single place for how this works for the multiple cases you might encounter. Here’s our guide to those scenarios.
Recover via login window
First, start up your Mac if it’s powered down. (If you’re trying to reset the password and your Mac is booted and logged in, choose > Restart.)
Apple
Next, at the login screen click your account icon:
- In macOS Catalina and later, a password field appears with a question mark (?) at the far right. Click the question mark. Some lengthy text appears that starts, “If you forgot your password you can…”
- In macOS Mojave and earlier, you must enter your password incorrectly three times before a prompt appears.
Now, depending on your choice in setting up FileVault, you will see one of several options (the text may vary in Mojave and earlier releases of macOS):
- iCloud escrow: If you chose to store your key in iCloud during FileVault setup, the sentence above continues, ellipsis and all, “…reset it using your Apple ID.” Click the right-pointing arrow and follow the steps provided to log into the iCloud account associated with this Mac. This will recover your key, unlock the drive, and let you reset your account password.
- You kept the Recovery Key: If you opted to write down the Recovery Key, the text will continue “…reset it using your Recovery Key.” Click the right-pointing arrow and then enter your Recovery Key, omitting hyphens–macOS adds the hyphens automatically. When correctly entered, your drive is unlocked, and you can reset your account password.
Apple notes that–in some cases that the company doesn’t define–you might see the text “Restart and show password reset options.” If so, click the right-pointing triangle. After your Mac restarts, you’ll be asked for either an Apple ID login or your Recovery Key as above. Instead of first selecting a user and then entering that information, in this mode you enter your recovery details first and then select the user for which you’re resetting the password to regain access.
If none of the above works, you can try using macOS Recovery.
Recover via macOS Recovery
The process differs by processor. With an Intel Mac:
- Restart or press the power button and then hold down Command-R until the Apple logo appears and the progress bar on loading the operating system begins to fill.
- When the macOS Recovery screen appears, choose Utilities > Terminal.
- Enter the text
resetpasswordand press return. - macOS Recovery launches the special Reset Password assistant. Select the option, “My password doesn’t work when logging in” and click Next, then follow the remaining steps.
With an M1 Mac, the steps are a little more involved:
- Shut down the Mac if active.
- Hold down the power button to start up and continue holding it until you see the message “Loading startup options.” That takes about 10 seconds. Release the power button.
- Click the Options icon.
- If presented with a list of accounts you can use to log in to access macOS Recovery, click “Forgot all passwords?” You may also or instead be able to use your Apple ID to log in.
- When the macOS Recovery screen appears, choose Utilities > Terminal.
- Enter the text
resetpasswordand press return. - macOS Recovery launches the special Reset Password assistant. Select the option “My password doesn’t work when logging in” and click Next, then follow the remaining steps.
This Mac 911 article is in response to a question submitted by Macworld reader Julio.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to [email protected], including screen captures as appropriate and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.
