What to do when FileVault won’t turn on

After a recent inexplicable problem on my MacBook, in which macOS would complete loading but never get past the blank screen before the Desktop appeared, I had to revert to a clone. (Even reinstalling macOS didn’t work.) I then upgraded to Mojave. Somewhere in there, an important piece of macOS “fell out,” metaphorically.

Apple added the concept in 10.13 High Sierra of a “secure token” to the first account created in macOS on installation or after upgrade as part of the process that allows you to use FileVault. There’s almost no information about this feature, and there’s no way to determine from macOS’s graphical features whether an account has it set.

But if you’re missing a secure token on all your accounts, there’s no way to obtain one, and you won’t be able to turn on FileVault. That’s the situation I find myself in—and I found plenty of others in the same boat.

I went down this rabbit hole by trying to re-enable FileVault after I got my MacBook restored and up to date:

  1. Open the Security & Privacy system preference pane.
  2. Click the FileVault tab.
  3. Click the lock icon in the lower-left corner and enter an administrative account and password.
  4. Click Turn On FileVault.

What should happen after step 4 is that either macOS presents a dialog that guides you to proceed, or an error message appears explaining (sometimes obscurely) why you can’t.

In my case, and that of other people who have shared the same experience on internet forums, there’s no interaction at all. Clicking the button doesn’t result in any action.

At this point, you can “interrogate” macOS via Terminal (in Applications > Utilities). First, you need to know the Unix account name of your macOS account. If you don’t know what that is, follow these steps first:

  1. Open the Users & Groups pane.
  2. Click the lock icon in the lower-left corner and enter an administrative account and password.
  3. Control-click your account name in the account list and choose Advanced Options.
  4. The Account Name is your Unix account’s short name.

Now, with that name in hand, follow these steps: