As part of Apple File System’s FileVault encryption on mac OS High Sierra, Apple introduced Secure Token. This is a new and undocumented account attribute, which is now required to be added to a user account before that account can be enabled for FileVault on an encrypted Apple File System (APFS) volume. To help make sure that at least one account has a Secure Token attribute associated with it, a Secure Token attribute is automatically added to the first account to log into the OS loginwindow on a particular Mac.
Once an account has a Secure Token associated with it, it can then create other accounts which will in turn automatically be granted their own Secure Token.
For the consumer user, this usually takes the following form:
- Secure Token is automatically enabled for the user account created by Apple’s Setup Assistant.
- The Setup Assistant-created user account with Secure Token then creates other users via the Users & Groups preference pane in System Preferences. Those accounts get their own Secure Token automatically.
However, Active Directory mobile accounts and user accounts created using command line tools do not automatically get Secure Token attributes associated with these accounts. Without the Secure Token attribute, those accounts are not able to be enabled for FileVault.
Update 1-20-2018: @mikeymikey has pointed out an exception to the rule:
Instead, the sysadminctl utility must be used to grant Secure Token to these accounts as a post-account creation action. In that case, the sysadminctl utility must be run by a user account with the following pre-requisites:
- Administrative rights
- Secure Token
For more details, please see below the jump.
There are a couple of ways to check from the command line if a particular account has the Secure Token attribute associated with it:
sysadminctl -secureTokenStatus username_goes_here
Note: The sysadminctl utility has multiple ways to provide the needed admin authorization to run. Please see this post for details.
dscl . -read /Users/username_goes_here AuthenticationAuthority
You can also check in Directory Utility to see if a Secure Token entry appears under the account’s Authentication Authority attribute.
Once it’s been verified if an account needs Secure Token, sysadminctl‘s SecureToken functions can be used to add it.
The command shown below should add Secure Token to a specified account
sysadminctl -secureTokenOn username_which_needs_secure_token_goes_here -password password_goes_here
If you want to be prompted for the account’s password, use the command shown below:
sysadminctl -secureTokenOn username_which_needs_secure_token_goes_here -password -
To see how the process of adding Secure Token to an account which doesn’t have it works, please see the video below. It will go through the following process:
- Using sysadminctl to check an account for its Secure Token status
- Using sysadminctl to check the logged-in account for its Secure Token status
- Using sysadminctl to grant Secure Token to the first account, using the logged-in account’s credentials and Secure Token.
- Using sysadminctl to check the first account to verify that Secure Token has been added.
To see how user accounts created in System Preferences’ Users & Groups preference pane automatically get Secure Token when created by an account with Secure Token, please see the video below. It will go through the following process:
1. Creating a new user account in the Users & Groups preference pane
2. Verifying via sysadminctl that the new user account has Secure Token