MacOS keeps asking for disk password: how to allow a user to unlock File Vault encrypted disk

filevaulthigh sierratime-machine

After a restore, macOS still requires the disk password. Here what happened:

First, I used diskutil to format my disk as APFS encrypted and I set a disk password. Then, I installed macOS High Sierra (10.13.6) and restored a TimeMachine backup.

The restore succeed, but something went wrong with disk decryption permissions: now at boot the macOS ask for the disk password (that i know), and afterwards for the user password for my user called john.

The only allowed user to decrypt the disk is a Disk user.

# diskutil apfs listcryptousers /dev/disk1s1
Cryptographic user for disk1s1 (1 found)
|
+-- 2FFF91FA-12A5-3F55-8252-85AAF1188EBA
Type: Disk User

and

# sysadminctl -secureTokenStatus john
2018-08-20 20:40:55.784 sysadminctl[3561:141251] Secure token is DISABLED for user John X.

Is there a way to allow the existing admin user john to unlock the disk?

Best Answer

The most reliable way to solve this would be to decrypt your disk and then encrypt it using the Filevault settings page.

Related Solutions

Cannot change APFS encryption password

You need to list your disks to find the APFS volume disk where you want to change the password:

sudo diskutil apfs list

Now find the UUID of the cryptographic Disk User:

sudo diskutil apfs listUsers <your APFS volume, like: disk1s1>

Finally you can change the APFS volume password:

sudo diskutil apfs changePassphrase <your APFS volume, like: disk1s1> -user <the Disk User cryptographic UUID, like: 12345678-1234-1234-1234567890AB>

IMac – a Secure Token and how to get an admin users that has one

Just migrated to a new 2018 MacBook Pro, and somehow my original account (an admin user) was created without a secure token during the migration. I even tried creating a new admin user, logging into that user and trying to run sysadminctl -secureTokenOn justin -password - but getting:

2018-07-30 14:17:56.552 sysadminctl[886:18232] Operation is not permitted without secure token unlock.

So then I tried the following providing adminUser and adminPassword flags as my original user justin:

sysadminctl -secureTokenOn justin -password - -adminUser justin -adminPassword -

Enter password for justin :

Enter password for Justin K :

2018-07-30 14:31:05.262 sysadminctl[998:49031] setSecureTokenAuthorizationEnabled error Error Domain=com.apple.OpenDirectory Code=5101 "Authentication server refused operation because the current credentials are not authorized for the requested operation." UserInfo={NSLocalizedDescription=Authentication server refused operation because the current credentials are not authorized for the requested operation., NSLocalizedFailureReason=Authentication server refused operation because the current credentials are not authorized for the requested operation.}

Essentially it seems since non of my users have a secure token, there is no way to grant a secure token. The only downfall is the following:

When I cold start the machine I have to enter a disk decryption password, which results in entering my password twice (once for disk decryption and once for the user account).
When I try to turn off FileVault by clicking the button nothing happens. The same behavior when clicking the warning button "Some users are not able to unlock the disk [Enable Users...]" nothing happens.

Best Answer

Related Solutions

Cannot change APFS encryption password

IMac – a Secure Token and how to get an admin users that has one

Related Question