April 27, 2024

What to do when offered a new FileVault Recovery Key

macOS Sonoma 14.4 and 14.4.1 updates have been prompting some users to create a new FileVault Recovery Key. If you see this as your Mac completes an update, here’s what you should next.

iCloud Recovery

If you have already opted for your iCloud account to enable FileVault recovery, or want to, then select that option and continue.

Recovery Key

If you have already set a Recovery Key and want to continue using one, select that option, make a careful note of the new key you’re given, copy it to enter into a text document, and if you can make screenshot of it too. Then get the old key, so that you have both ready to validate.

Once your Mac is running fully, open Terminal and type in the command
sudo fdesetup validaterecovery
After entering your admin password, you’ll then be prompted to enter the new Recovery Key. Type or paste that in carefully, and you’ll be told whether it’s correct or not. Note that Terminal doesn’t display the key when you type or paste it in, and you’ll have to press Return without being able to see or check what you’ve entered. If that new key fails, repeat the command using your previous Recovery Key instead.

If that still doesn’t work, then you’ll need to generate a new Recovery Key. Provided that this is an Intel Mac with a T2 chip, or an Apple silicon Mac, and FileVault is protecting your Data volume on its internal SSD, this is quick and simple, as it doesn’t involve any change in encryption. That’s because, in those circumstances, your FileVault password isn’t used for the encryption as such, but to protect the key that is used for that.

To generate another Recovery Key, open Privacy & Security settings, scroll down to the bottom, and click on FileVault there. Then turn FileVault off.

Wait a minute or so after the window confirms that it has been turned off successfully, then turn it back on.

You’ll then be prompted again to choose a Recovery Key. Ensure that’s copied and saved carefully, then open Terminal and use the
sudo fdesetup validaterecovery
command to check that your new Recovery Key is correct.

Intel Macs without T2 chips, and all Macs booting from external disks

Unfortunately, FileVault works differently in these, and will have to decrypt and encrypt the protected Data volume if you turn FileVault off and back on. Unless that Data volume is almost empty, that isn’t a good idea, and you may prefer to leave FileVault turned off, or to opt for iCloud Recovery instead.

Remember

If your Mac has FileVault turned on, and you opt to use a Recovery Key, check using fdesetup validaterecovery that the Recovery Key is correct whenever it’s changed. Otherwise you could be in for a big disappointment if you ever need to use it.

You may have missed

How to Get Pip-Boy on Your Apple Watch

0

NASA still doesn’t understand root cause of Orion heat shield issue

0

Apple Asks Customers for Vision Pro Feedback

0

It’s okay to admit that you’re wrong sometimes, Apple

0

Apple Reignites Talks With OpenAI About Generative AI for iOS 18

0