As part of FileVault on Apple File System, Apple introduced a new account attribute called Secure Token. As mentioned in a previous post, Secure Token can present some interesting problems for Mac admins who work with FileVault-encrypted laptops. Among the potential complications are these scenarios:
- “I changed the password for my local account, but only the old password is being taken at the FileVault login screen.”
- “We’ve lost the password to the only local user account with a Secure Token, so now we can’t enable any other accounts on this Mac for FileVault.”
Usually, this happens because the local account password in question was changed outside of the Users & Groups preference pane in System Preferences and now Secure Token and the account password are out of sync with each other.
Up until the past few days, the only fix I knew of for that situation was to back up the data and wipe the drive. However, it looks like there is a workaround for encrypted Macs which fixes the password problem and sorts out Secure Token in these scenarios. In both cases, a personal recovery key will be needed as the way to authorize the needed changes. For more details, please see below the jump.
Note: The methods described below only work with local accounts. Mobile accounts need to have password changes authorized by their parent directory service and directory services like Active Directory and Open Directory will not be accessible when using the tools and procedures described below.
There are two methods which can be used with a personal recovery key to reset a local account’s password and resync a Secure Token:
- FileVault login screen password reset
- macOS Recovery password reset
FileVault login screen password reset
At the FileVault login screen, the following procedure can be used to reset a local account’s password:
1. Select the user account in question.
2. Click the question mark icon.
3. Click the arrow icon.
4. Enter the personal recovery key in the provided blank, then click on the arrow icon.
The encryption will unlock at this point and the Mac will boot.
5. At the Reset Password dialog window, enter a new password and then click the Reset Password button.
As part of the password reset process, the Secure Token attribute for the account will also resync. That should allow FileVault to work normally again.
macOS Recovery password reset
In macOS Recovery, there is a resetFileVaultpassword tool which can use the personal recovery key to authorize password changes and Secure Token resync. The following procedure can be used to reset a local account’s password:
1. Boot to macOS Recovery.
2. Under the Utilities menu, select Terminal.
3. In Terminal, enter the following command and hit Enter.
resetFileVaultpassword
This will launch a Reset Password window, with a blank for entering the personal recovery key.
4. Enter the personal recovery key, then click the Next button.
5. Select the account whose password needs to be reset, then click the Next button.
6. Enter a new password and verify it, then click the Next button.
7. When prompted, click the Restart button.
As part of the password reset process, the resetFileVaultpassword tool also resyncs the Secure Token attribute for the account. That should allow FileVault to work normally again.