“Bug” in FileVault Encryption of M1 Macs

Not a bug but a security feature. Mac's equipped with a T2 Security Chip or the M1 Apple Silicon chips are hardware encrypted at the factory out of the box. When you turn on FileVault it merely generates a recovery key and puts a new private key into the Secure Enclave within the T2 or M1 SoC processor.

When you first install macOS on one of these T2/M1 Mac's it will create an administrator account and that account has what is called a secureToken. Only accounts created by an account that holds a secureToken will be able to unlock the disk.

Your problem may have occurred wether or not the older 13" MacBook Pro is T2 equipped or not because Migration Assistant doesn't add the secureToken to the other two accounts you migrated. Likely one of the 3 accounts matched your primary account and that one migrated and kept the secureToken but the other two didn't exist on the M1 so they didn't receive a secureToken. When you created the other two new accounts they also received the secureToken which is required to unlock the disk.

The easiest quickest way to fix this would be to delete the 2 problematic user accounts without removing their home folders and then recreate them using your primary working account that has a secureToken. It is important that you set the same icon, name, login name and passwords. They will pickup on the existing home folders and that should fix it.

In System Preferences -> Users & Groups, unlock the screen with the gold lock bottom left corner. Then highlight the first account to remove and click the minus button at the bottom left. Be sure to click the "Don't change the home folder" option. Then go ahead and click Delete User. Then add the user back with the + button, set the same information for this user. Rinse and repeat for User #2. Then reboot and see those two users can unlock the disk at the pre-boot authentication screen.

Okay let's start over...

To summarize your admin is user1 and we have successfully deleted user2 & user3 and recreated them and they do now unlock FileVault at boot as they now have a secureToken. The issue as it stands, is that you now have:

/Users/user2/

/Users/user2 Deleted/

/Users/user3/

/Users/user3 Deleted/

The data we need to keep is in the "Deleted" home folders. An attempt to delete the user2 and user3 home folders failed, likely due to those users being in existence. So now we need to delete the user2 and user3 user accounts then delete their home folders and rename the Deleted home folders to be /Users/user2 and /Users/user3.

The difference this time you are not going to use the GUI in System Preferences because that's how we ended up with the home folders being renamed to say Deleted. We are going to delete the users from the command line in Terminal then we should be able to move the home folders that contain the data back in place and recreate the users in the GUI. The home folders should be found and utilized without data loss.

For simplicity you can change to being in sudo mode so you don't have to type sudo over and over. The "rm -rf" commands are extremely dangerous you have to be very careful not to make a typo. The command means remove (delete) recursively (a folder and all sub-folders) and do it forcefully and don't bug me about it. One wrong move and you can nuke important files. There are some protections in place that in years past were not there. Horror stories of mainframes being nuked and it taking weeks to get it all rebuilt. So be careful!

sudo -s

The prompt will change to a # symbol indicating you are running as if you are root (not truly root but the most power you can have on macOS).

Delete the User Accounts (not the home folders)

dscl . delete /Users/user2
dscl . delete /Users/user3

Delete the mostly empty home folders

rm -rf /Users/user2
rm -rf /Users/user3

Move the home folders that say "Deleted" back to their original names

mv /Users/"user2 Deleted" /Users/user2
mv /Users/"user3 Deleted" /Users/user3

Type "exit" and Return to exit sudo mode

Prompt should change to a % if you have Zsh or $ if you have Bash.

Now we go back to System Preferences and recreate user2 and user3 you can go to the Advanced Options by right-clicking the newly created user and you can see their home folder which for User2 should be /Users/user2.

Logout of User1 and login to both accounts. If the short and long usernames and passwords are all the same as originally all the data should just be there like magic. 🤞🤞

Let's say you have 3 users as you described.

User1 existed on the old computer and was the account you setup the M1 with initial. This is the master admin account on the Mac. When you restored your data with Migration Assistant it worked because this account has the first secureToken on the M1 Mac. The data was migrated from the old Mac to the new. The home folder matched the user and all the data came over.

User 2 & 3 existed on the old Mac but not on the new one. When you ran Migration Assistant it created the accounts on the M1 Mac and migrated the data but did not assign a secureToken to User 2 & 3 so they cannot unlock the disk at boot.

I am proposing that you delete User 2 and User 3 while logged on as User 1. Being very careful not to delete their home folders. All the data is kept in the home folders of each user. Then you will delete and re-create User 2 and User 3. I am also advising that you make sure the user accounts are named exactly the same when you create them. There's a Full name and an Account name (short name). i.e. Full Name = John T. Doe and Account Name = jtdoe and the home folder would be /Users/jtdoe.

The way you check the information before you delete User 2 & User 3 is you go to the System Preferences -> Users & Groups, unlock the screen with the Gold lock. Then Right-Click on User 2 and go to Advanced Options. You only need to worry about the Account name (short name) and the Full Name. Make a note of those two values for User 2 and User 3. Then you can delete those two user accounts but keep their home folders.

Then you create User 2 and User 3 using the same Full Name & Account Name. When those user login, all their data will be there as if nothing happened. The user account is distinct from the data and there's an option to archive a user accounts home folder that you delete or delete all the data. But you need to choose the option to keep the home folder so the data is left intact.

So you do have duplicate User2 & User3 home folders? i.e. screenshot? Looks like you marked up the screen shot with "Deleted)". I realize you are redacting the actual usernames, etc.

When you run the "sudo chown" command use the actual username:staff and /Users/username. There should only be one /Users/user2 and one /Users/user3 and they should contain the users data. Also make sure User2 and User3 are not logged on when you do it. i.e. don't use Fast User Switching, logout of both User2 & User3 and only login with your User1 admin account.

Now you do have duplicate user home folders.

/Users/user2. <- active to new User2 account

/Users/user2 Deleted <- contains data was old User2 account

Apparently the GUI method of deleting a user but keeping the home folder has resulted in it renaming the home folder to deleted.

I should have had you delete user2 & 3 from the terminal it would not have renamed the old home folders.

So what we need to do is delete the empty home folders and rename the ones named deleted back to normal.

sudo rm -rf /Users/user2

sudo mv /Users/“user2 Deleted” /Users/user2

Repeat for User3

What do you see in the /Users folder? Do you have duplicate home folders?

Anything like:

/Users/user2

/Users/user2-1

/Users/user3

/Users/user3-1

Oh wait, I know what the problem is. It's permissions... As the admin User1 open up Terminal and change the ownership of the files in /Users/user2 & /Users/user3 to User2 & User 3 respectively. Like this:

[use the short names]

sudo chown -R user2:staff /Users/user2

sudo chown -R user3:staff /Users/user3

It's possible the newly created users don't have everything exactly the same such as the UID number. This should fix it.

If you had created the other 2 accounts on the new M1 prior to restoring with Migration Assistant the other two accounts would have worked. It's because you migrated the user accounts without creating them with the 1st admin account on the M1 Mac that they lacked the secureToken.

This security feature prevents malware or a hacker from generating a new admin account with access to unlock the disk. In the old days you could delete a hidden /var/db/.AppleSetupDone empty file and that would trigger the Setup Wizard to create a new local admin account. There are other ways to generate an account and this security feature prevents it from unlocking the disk.

Very pleased that we were able to help you get the M1 back up and running.

FYI,

The reason FileVault encrypts and decrypts so quickly is because the SSD is already encrypted from the factory. Turning on FileVault merely generates a new public / private key pair and writes the private key to the Secure Enclave within the M1 and uses the public key to generate the Recovery Key which Apple will store in iCloud by default.

Apple wrote up a document covering all the hardware and software security written for the average person to digest. Apple Platform Security - Apple Support