Password Reset and Data Recovery

You can help users recover FileVault-encrypted data if they can't log in to their Mac.

You can help users recover their data or reset their password using a personal recovery key that is unique to the client computer. Resetting the password can be done remotely.

Password Reset Using a Personal Key

If a user forgets the login password, the administrator can send a personal recovery key to the remote user, to allow them to log in. The key is a string of letters and numbers separated by dashes.

  1. Find the serial number of the locked device. It is usually printed on the back of the device.

  2. Give the serial number to the support representative.

  1. Get the serial number of the locked device from the user.

  2. In SmartEndpoint, select Users and Computers.

  3. In Global Actions, click Native Encryption Recovery Media.

  4. In the Native Encryption Remote Help window, type the Serial Number.

  5. Click Get Recovery Key.

  6. Give the recovery key to the user.

  1. Get the Recovery Key from the support representative.

  2. Restart the Mac.

  3. In the FileVault pre-boot screen, click the ? button.

    A message shows: If you forgot your password you can reset it using your Recovery Key.

  4. Type the Recovery Key, and click ->.

    progress bar shows.

  5. For Local Users:

    1. In the Reset Password window, the user enters a new password, and optionally, a password hint.

    2. Click Reset Password.

How to update the Personal Recovery Key (PRK) for Native Encryption Management FileVault, see sk138352.

Mac Recovery Using a Personal Key

A personal key is unique to the client Mac computer or device. The key is a string of letters and numbers separated by dashes.

To recover a user's FileVault-encrypted Mac using the personal key, the administrator reads the key to the user, and uses the key to decrypt and unlock the computer.

To decrypt and recover the user's FileVault-encrypted Mac:

  1. Show the disk volumes on the Mac. Run the command:

    diskutil apfs list

    The volume to recover is the OS Volume. It has a name similar to disk2s1.

  2. Run this command:

    diskutil apfs unlockVolume <Diskname> -passphrase <Personal Recovery Key>

    The volume is now unlocked.

  3. Get the list of apfs cryptousers. Run:

    diskutil apfs listcryptousers <Diskname>

    For example:

    diskutil apfs listcryptousers disk2s1

    For a local user, select the UUID of the user that has:

    Type: Local Open Directory User

  4. Decrypt the volume. Run:

    diskutil apfs decryptVolume <Diskname> -user <User UUID>

  5. Enter the password of the local user.

  6. To monitor progress of the decryption, run:

    diskutil apfs list

  1. Run this command:

    diskutil cs unlockVolume <lvUUID> -passphrase <Personal Recovery Key>

  2. The user interface shows a prompt to allow access.

    Enter the keychain password.

    The volume is now unlocked.

  3. Start the decryption. Run:

    diskutil cs decryptVolume <lvUUID>

  4. When prompted, enter the password for the local user.

  5. To monitor progress of the decryption, run:

    diskutil cs list

The user can now reboot the Mac normally.

They do not see the FileVault pre-boot screen.