How to Recover a FileVault Key

Written by Kelsey Kinzer on November 18, 2022

Share This Article

Jump to Tutorial

FileVault is a disk encryption feature built into macOS to protect your hard drive from unauthorized access. When enabled, your startup volume is locked when the Mac is sleeping or shut down, and the data is encoded so it can’t be read unless the login password is used. 

When enabling FileVault, macOS asks you a critical question on how you would like to unlock your disk. There are two options (Figure 1):

  1. Allow your iCloud account to unlock your disk
  2. Create a recovery key

If you choose the first option while enabling FileVault, you only need to access your iCloud account to unlock your Mac and the OS will not create a separate recovery key. If you choose the second option, macOS generates a recovery key that you are expected to store in a safe place. 

However, what happens if you lose the key? We’ll cover your options for potentially recovering a FileVault key in this tutorial.

screenshot of security and privacy
Figure 1

Note: If you lose both your Mac password and FileVault recovery key, you will not be able to log in to your device or access the data on your startup disk.

Not Sure if the Recovery Key Is Correct?

Maybe you have a recovery key, but are unsure if it’s the right one for this computer. Fortunately, if you are already/still logged in to your Mac, there is a way forward. You can validate the recovery key by taking these steps:

  • Launch the Terminal.app on your Mac: search for “terminal” using the Spotlight search option on your device or navigate through Applications > Utilities > Terminal.
  • Run the command sudo fdesetup validaterecovery and click return. Enter your admin password when requested.
  • You will be prompted to enter the current recovery key. Do exactly that and ensure you do not leave out the hyphens in the key. Because your entry is hidden and you cannot use the backspace if you type a mistake, we offer this pro tip: copy and paste into Terminal. Just be sure you don’t copy any leading or trailing spaces.

There are three possible outcomes: 

  1. true (Figure 2a) if your key is correct
  2. false (Figure 2b) if the key you entered follows the format of a recovery key but is incorrect for this computer
  3. Error: Not a valid recovery key (Figure 2c) if the key does not look like a recovery key at all (e.g., if you leave out the hyphens)
screenshot of a possible outcome: true and the key is correct
Figure 2a
screenshot of a possible outcome: the key follows the format of a recovery key but is incorrect
Figure 2b
screenshot of a possible outcome: not a valid recovery key
Figure 2c

Recovery Key Incorrect or Lost?

Unless your system is managed by a device management platform, if your FileVault recovery key is completely lost or the validation keeps returning false, unfortunately you cannot recover it. It is gone. 

The only thing you can do while you still have access to your computer is to create a new key. You can do this in two ways: 

  1. Via Terminal.app
  2. Via the FileVault tab under Security & Privacy

Whichever method you choose, note that you will not get the same recovery key that was lost. Instead, a new key will be generated.

1. Create a New Key Via Terminal

Launch the Terminal.app and run the following command: 

sudo fdesetup changerecovery -personal 

This method will allow you to generate a new key without having to turn off FileVault and re-enable it. Enter your user name and password when prompted to do so. If the change is successful, you will see a new recovery key (Figure 3). 

Otherwise, you may get an error that you cannot change your key. We recommend trying the second method discussed below if this method doesn’t work for you.

new recovery key
Figure 3

2. Create a New Key Via FileVault Tab

With this method, you need to turn off FileVault and turn it back on to generate a new recovery key. On your Mac, go to Apple menu > System Preferences > Security and Privacy and click on the FileVault tab. 

Then, click the lock icon on the left-hand side of the pane, provide the administrator password, and click Unlock. Afterwards, select Turn Off FileVault… (Figure 4). The decryption of your disk occurs in the background as you use your device and only while the device is awake and plugged into AC power. You can track the progress under the FileVault tab. 

When the decryption is complete, return to the FileVault tab and click Turn On FileVault. You will be prompted to choose between iCloud or recovery key. If you choose “Create a recovery key and do not use my iCloud account,” be absolutely sure to copy it and store it in a safe place, such as your Password Manager

Do not save it on the same startup disk you are encrypting.

screenshot of security and privacy
Figure 4

Retrieving Your Key On a JumpCloud-Managed macOS Device

If you use a JumpCloud-managed macOS device, yes it is possible to retrieve your recovery key and avoid the perils of FileVault! Your IT admin will need to take the following steps:

  1. Log in to the JumpCloud Admin Portal
  2. Go to DEVICE MANAGEMENT > Devices 
  3. Under Devices, select the relevant device
  4. Under Details, click the view key button

Boom, your admin can now see your recovery key. To learn more about retrieving a recovery key on a JumpCloud-managed device, check out the following support documentation:

Not using JumpCloud yet? Our open directory platform goes beyond allowing you to easily access recovery keys. It empowers you to manage access, user privileges, and the security settings of your entire fleet — no matter the OS. Start a trial of our platform for free to see why you never have to worry about losing your FileVault recovery key again.

Kelsey Kinzer

Kelsey is a passionate storyteller and Content Writer at JumpCloud. She is particularly inspired by the people who drive innovation in B2B tech. When away from her screen, you can find her climbing mountains and (unsuccessfully) trying to quit cold brew coffee.

Continue Learning with our Newsletter