With FileVault â Offâ can log in via any of the 3 accounts. NewMBPM1:~ Long-T01_UID$ diskutil cs list No CoreStorage logical volume groups found NewMBPM1:~ Long-T01_UID$ diskutil apfs list APFS Containers (3 found) | +-- Container disk3 5172FF0C-FE12-43BC-B785-A343469065D7 ==================================================== APFS Container Reference: disk3 Size (Capacity Ceiling): 994662584320 B (994.7 GB) Capacity In Use By Volumes: 432616132608 B (432.6 GB) (43.5% used) Capacity Not Allocated: 562046451712 B (562.0 GB) (56.5% free) | +-< Physical Store disk0s2 11251327-2EEE-4067-B25E-8C19F4714C9E | ----------------------------------------------------------- | APFS Physical Store Disk: disk0s2 | Size: 994662584320 B (994.7 GB) | +-> Volume disk3s1 32EED8C6-88B4-424B-B83E-93AF0BCDEDAC | --------------------------------------------------- | APFS Volume Disk (Role): disk3s1 (System) | Name: NewM1 MBP14 HD (Case-insensitive) | Mount Point: Not Mounted | Capacity Consumed: 15704408064 B (15.7 GB) | Sealed: Yes | FileVault: No (Encrypted at rest) | | | Snapshot: 6BF4B01C-1BDB-4773-8052-1640F34D4AF1 | Snapshot Disk: disk3s1s1 | Snapshot Mount Point: / | Snapshot Sealed: Yes | +-> Volume disk3s2 22E54FF2-EFEC-4216-A845-86288F5DE151 | --------------------------------------------------- | APFS Volume Disk (Role): disk3s2 (Preboot) | Name: Preboot (Case-insensitive) | Mount Point: /System/Volumes/Preboot | Capacity Consumed: 188669952 B (188.7 MB) | Sealed: No | FileVault: No | +-> Volume disk3s3 E6EAFA08-D775-43F5-80EE-14DF77AA6408 | --------------------------------------------------- | APFS Volume Disk (Role): disk3s3 (Recovery) | Name: Recovery (Case-insensitive) | Mount Point: Not Mounted | Capacity Consumed: 856158208 B (856.2 MB) | Sealed: No | FileVault: No | +-> Volume disk3s5 D6B7417E-F2D5-450B-A63F-1CBFC16E3CCF | --------------------------------------------------- | APFS Volume Disk (Role): disk3s5 (Data) | Name: Data (Case-insensitive) | Mount Point: /System/Volumes/Data | Capacity Consumed: 415659524096 B (415.7 GB) | Sealed: No | FileVault: No (Encrypted at rest) | +-> Volume disk3s6 91371F95-D2E4-474A-8395-1A8AD666E210 --------------------------------------------------- APFS Volume Disk (Role): disk3s6 (VM) Name: VM (Case-insensitive) Mount Point: /System/Volumes/VM Capacity Consumed: 20480 B (20.5 KB) Sealed: No FileVault: No NewMBPM1:~ Long-T01_UID$ diskutil list /dev/disk0 (internal): #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme 1.0 TB disk0 1: Apple_APFS_ISC ⠨⠩ 524.3 MB disk0s1 2: Apple_APFS â ¨Container disk3â © 994.7 GB disk0s2 3: Apple_APFS_Recovery ⠨⠩ 5.4 GB disk0s3 /dev/disk3 (synthesized): #: TYPE NAME SIZE IDENTIFIER 0: APFS Container Scheme - +994.7 GB disk3 Physical Store disk0s2 1: APFS Volume â ¨NewM1 MBP14 HDâ © 15.7 GB disk3s1 2: APFS Snapshot â ¨com.apple.os.update-...â © 15.7 GB disk3s1s1 3: APFS Volume â ¨Prebootâ © 188.7 MB disk3s2 4: APFS Volume â ¨Recoveryâ © 856.2 MB disk3s3 5: APFS Volume â ¨Dataâ © 415.7 GB disk3s5 6: APFS Volume â ¨VMâ © 20.5 KB disk3s6 NewMBPM1:~ Long-T01_UID$ fdesetup status FileVault is Off. FileVault master keychain appears to be installed. NewMBPM1:~ Long-T01_UID$ sudo fdesetup list Password: T02_UID,D76FB1E2-DA8F-11D9-9B82-000A95ACF9D2 Long-T01_UID,962402C7-B1D6-4F0D-9110-593E228EEF7F S01_UID,C039F77B-4AD5-11D8-952E-000A95ACF9D2 NewMBPM1:~ Long-T01_UID$ sudo sysadminctl -secureTokenStatus S01_UID 2021-12-26 12:08:40.901 sysadminctl[10415:463820] Secure token is ENABLED for user S01_UID NewMBPM1:~ Long-T01_UID$ sudo sysadminctl -secureTokenStatus T_01_UID 2021-12-26 12:08:48.920 sysadminctl[10417:463858] Secure token is ENABLED for user T_02_UID NewMBPM1:~ Long-T01_UID$ sudo sysadminctl -secureTokenStatus " T_02_Long_UID " 2021-12-26 12:10:27.032 sysadminctl[10451:465207] Secure token is ENABLED for user T_02_Long_UID ********* Then I turned on FileVault in account T_01_UID. Then can only login via S01_UID Then logged in as T_01_UID to enter these commands NewMBPM1:~ Long-T01_UID$ fdesetup status FileVault is On. FileVault master keychain appears to be installed. NewMBPM1:~ Long-T01_UID$ sudo fdesetup list Password: T02_UID,D76FB1E2-DA8F-11D9-9B82-000A95ACF9D2 Long-T01_UID,962402C7-B1D6-4F0D-9110-593E228EEF7F S01_UID,C039F77B-4AD5-11D8-952E-000A95ACF9D2 NewMBPM1:~ Long-T01_UID$ sudo fdesetup haspersonalrecoverykey Password: false NewMBPM1:~ Long-T01_UID$ sudo fdesetup hasinstitutionalrecoverykey true NewMBPM1:~ Long-T01_UID$ sudo fdesetup removerecovery -institutional Password: Enter the user name:S01_UID Enter the password for user 'S01_UID': NewMBPM1:~ Long-T01_UID$ sudo fdesetup hasinstitutionalrecoverykey false But with FileVault enabled we still had same login issue, and turning on FileVault again gave the message about an institutional key being set PS The old and new computers have never been in anyone elseâ s hands. Presumably the new computer was â pollutedâ by the old computer during the migration. The old computer was bought straight from Apple by mail. So the only 3 possibilities I can think of for an enabled institutional key are: 1) Nefarious actor in Apple supply chain who did this at the factory. 2) Nefarious actor who broke into a hotel room while I was out on a business trip and figured how to install an institutional recovery key (unlikely since I am a very low value target!) 3) Bug where during a system crash or whatever at some point in the 6 years I had the old computer something â glitchedâ and set an institutional recovery key by some random pathway.