MacInTouch Amazon link...

FileVault issues

Is that what it is? I had a 8TB external I was using as a Time Machine backup that took three-and-a-half weeks (I kid you not) to fully encrypt. I'll give Jiggler a shot on another 4TB unit slowly grinding away now. Thanks!
I'd try disabling throttling of low-priority i/o:
Code:
sudo sysctl debug.lowpri_throttle_enabled=0
This lasts until you reboot or reenable with =1.
 


Why is the FileVault conversion throttled if the computer is idle? You'd think it would be the exact opposite.
It's likely Apple didn't want to be "battery shamed" when doing the encryption, so rather than use up power (battery or otherwise) all by itself, it instead "hitches a ride" and does more work while the computer is also busy with other tasks.

It sorta makes sense from an efficiency standpoint, but obviously not from a user experience standpoint.
 


Ric Ford

MacInTouch
This topic was discussed on the old MacInTouch platform and it sounds like you're familiar with that. I haven't experienced this issue, but my memory of the previous discussion is that the opposing viewpoint to "encrypt before restore" was summarized by Bombich Software, maker of Carbon Copy Cloner. The third bullet point in this help topic may contain the explanation for the behavior you're seeing, and if so, you might consider wiping the drive, restoring to the unencrypted drive, then enabling FileVault after booting from the drive.
Apparently there is a very well-known issue concerning the new "Secure Token" which is required for a number of High Sierra system activities -- including working with FileVault2
At least some of my slow startup issues with APFS, where the boot process pauses for an extended period midway through, are apparently related to a bafflingly complex issue that manifested in weird problems trying to change FileVault and Startup Security Settings (to make a very long story short).
...
I only finally managed to recover control over FileVault and Startup Security Utility through complicated command-line work with the sysadminctl program, which I hadn't previously known about.
I just stumbled onto this detailed discussion of the secret secure token FileVault issue in APFS:
Software Tested said:
How to Make FileVault Work Again Without a ‘Secure Token’?
Apple introduced the concept of a Secure Token on top of FileVault with the release of macOS High Sierra. The main purpose is to restrict FileVault encryption conversations and access to only Mac accounts with the appropriate permission.

Here is how the Secure Token feature works:
  • The initial user account you create the first time on a new Mac has a Secure Token.
  • All users with sysadminctl have a Secure Token.
  • Any user account generated with the Users & groups option of the System Preferences has a Secure Token.
  • All Active Directory users do not have a Secure Token.
  • Any user created with dscl doesn’t have a Secure Token.
  • Only users with a Secure Token have permission to activate and deactivate FileVault encryption.
FileVault Problems on Mac

The main challenge, however, is that if no account on your Mac has a Secure Token, it means that the profile cannot enable FileVault.

Some users have complained of experiencing this nightmarish scenario. FileVault operations, such as, migrating, enabling, and adding users, failed on macOS High Sierra and later versions if users did not have a Secure Token enabled for their account.

This issue, amongst many other FileVault problems on Mac, has raised a lot of concern about the value of adding a “Secure Token” on top of FileVault. If you are uninitiated, you are probably asking yourself what does missing a ‘Secure Token’ mean....
#filevault #securetoken #login #boot #encryption #resetFileVaultpassword
 


I did a restore on a 2018 MacBook Pro, and now I'm being asked for a "Disk Password" each time it starts up. I think this has been discussed before, but I couldn't find the post. Does anyone know the best method to eliminate the double password startup?
 


Ric Ford

MacInTouch
I did a restore on a 2018 MacBook Pro, and now I'm being asked for a "Disk Password" each time it starts up. I think this has been discussed before, but I couldn't find the post. Does anyone know the best method to eliminate the double password startup?
I'm not on Mojave at the moment, but you might want to check for something like

System Preferences > Security & Privacy > FileVault > Enable Users... [button]
 


I'm not on Mojave at the moment, but you might want to check for something like
System Preferences > Security & Privacy > FileVault > Enable Users... [button]
Thanks Ric, I forgot about this setting. The FileVault page in System Preferences showed "Some users are not able to unlock the disk." However, after clicking the lock icon and entering my password, the "Enable Users..." button does nothing. Ugh.
 


To follow up again, I thought I would try to just disable and re-enable FileVault. For whatever reason, the "Turn Off FileVault..." button didn't do anything either.
 



Other things to check...
It looks like I do not have a secure token. I tried the following command, shown with result:
Code:
sudo sysadminctl -secureTokenStatus <short name>
Secure token is DISABLED for user <full name>
Using the second link you provided, I then tried the recommended steps to reset the FileVault password to enable the token. Unfortunately, I couldn't run Terminal in Recovery mode. It showed: "Recovery is trying to change system settings. No administrator found".

I suspect this is because FileVault is on with no secure token. The post discussed fixing the token problem when FileVault was off. At this point, I might be in some kind of perverse Apple Catch 22.
 


I was able to create a new user with a secure token by running the setup wizard again using this command in Terminal:
Code:
sudo rm /var/db/.AppleSetupDone
I then restarted and went through the new user setup. When prompted, I didn't sign into iCloud. All I needed to do was enter my disk password, and I now had an account with a secure token. From here, I changed the password of my main account in System Preferences > Users & Groups. (I used the same password I previously had, which is enough to get this procedure to work.) My main account now has a secure token and I only need to login once at startup.
 


I have a new 2019 MacBook Pro, so I set up a bootable backup external disk using Carbon Copy Cloner. Booted to the drive just fine. Created Recovery Partition. Then I turned on FileVault, which said I had to restart, so I did. Now I get "can not verify disk" if I try to boot to the external drive. I can still read the backup drive if I am booted from the internal SSD. Any suggestions?
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts