Apple in the first place innovate FileVault to lend full - disk encoding ( FDE ) protection to macOS . FDE guarantee that your total startup volume is interlace away when macOS is close down ( not just kip ) by setting an encryption key for the volume . FileVault lock that paint out , geminate it with an bill on your Mac that ’s authorized to sign in after a full closing . Without that key , there ’s no effective agency to bring that computer to life .
Starting with Intel Mac model with a T2 Security Chip , your startup volume is always encrypted for FileVault no longer perform that project . That ’s also the eccentric for all M - series Macs . With those models , FileVault just protect the volume ’s encoding key , a critical - enough characteristic . ( With a computer hardware - encrypted volume and FileVault disabled , there ’s a potential opening for a malicious party who find your computer while it ’s powered up to get at your stored files . )
If you have FileVault enable with any Mac model , you could get locked out of your movement forever in certain cases if you have n’t taken a preventive step . You might not use a Mac for a while and forget the countersign for any of its authorized FileVault account . And , based on some emails I ’ve received , account direction can sometimes go wrong and macOS Recovery — used both for “ cold jump ” logins to macOS after a full shut down and to diagnose problems on your inauguration volume — involve a login where the correct word fails to let you in .
In those font , the retrieval key plant by macOS at the time you turned on FileVault on your Mac can do the trick . But if enough prison term has passed , you might have forgotten where you stashed the key or how to retrieve it . Macworld reader Elaina fall into that camp . She could n’t see the key , and she commemorate using the iCloud alternative to store it , but has analyze iCloud Drive and could n’t find it . She ’s concerned that she could wind up locked out and be unable to obtain the Recovery Key .
This is a problem with security system options on system reliable enough that you do n’t have to work with them regularly to refresh your computer memory . Touch ID and confront ID in Io and iPadOS and Touch ID in macOS expect that you re - go in the twist passcode or password at least every six days so you do n’t forget them .
When you first set up FileVault , one of the steps necessitate you whether you want to practice your iCloud account as a direction to unlock your disk and reset your macOS account parole if you ca n’t find your retrieval paint . ( In Monterey and earlier , go to > System Preferences > Security & Privacy > FileVault ; in Ventura or later , go to > System configurations > Privacy & Security and scroll down to the FileVault plane section . )
you may prefer to store your convalescence key as part of your iCloud story for password reset .
If you choose iCloud , the convalescence key is n’t stored loosely in iCloud Drive or as a filing cabinet . Instead , it ’s tied into behind - the - scene account info that Apple uphold . It ’s fully inscribe in such a way that even Apple does n’t have accession to the unencrypted recovery key datum , but Apple can deliver the encrypt recovery key to your Mac if you need to reset your word . You never see the retrieval key nor have to enroll it in this configuration . ( The process is a little involved : Apple describes it in the segment “ Reset using the Reset Password assistant ( FileVault must be on)”in this support document . )
If you pick out the other path , where FileVault generates a recovery key and display it , you postulate to check that and publish it down or accede it electronically and store it securely in such a style that you ’ll have memory access even when your Mac ca n’t be reboot . I use 1Password ’s unattackable notes for this purpose , but any method of reposition that ’s honest , secure , and accessible will puzzle out .
A good scheme would be to set a quarterly reminder to take care for your retrieval key ( and other crucial passwords and keys you have to hive away in the same place ) . If you ca n’t find it , disable FileVault in macOS and re - enable it . On Intel good example without a T2 Security Chip , this will take a while , as the total crusade is decrypt and then re - encrypted ; on T2 Intel theoretical account and M - series , the process takes seconds . With any theoretical account of Mac , macOS beget an wholly new retrieval key , which you may then more cautiously notice again .
With each of the above state of affairs , if you ca n’t log into iCloud or you fall back the recovery key , your Mac ’s files are unretrievable forever , as I wrote about last year .
Ask Mac 911
We ’ve compose a list of the enquiry we get asked most frequently along with answers and links to newspaper column : read our super FAQto see if your question is covered . If not , we ’re always look for new problems to solve ! Email yours tomac911@macworld.comincluding covert captures as appropriate , and whether you want your full name used . Every question wo n’t be answered , we do n’t reply to e-mail , and we can not provide verbatim troubleshooting advice .
