Announcement: Upgrade to macOS Mojave

With features like Dark Mode, Stacks, and four new built-in apps, macOS Mojave helps you get more out of every click. 
Find out how to upgrade to macOS Mojave >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.


Question: Mac OS X High Sierra 10.13.1: Disk Encryption, No user with secure token activated

Hi there,

I have the following situation on my MacBook Pro 13" 2017 and did not yet find an appropriate solution:

  1. I have installed Mac OS X High Sierra 10.13.1 from a bootable USB drive using the official installer app from the Mac App Store
    1. During installation I chose to assign my total Flash Drives capacity to one APFS Case-sensitive, encryptet container. During this process I had to assign a password for disk encryption
    2. I created the user $ADMINUSER during installation process as the main administrator
  2. Now I activated the root user via Directory Utility and I added another standard user
  3. In the end I wanted to delete the initial admin user since I now had activated the root user. First it wouldn't let me neither through Directory Utility nor through dscl . delete /Users/$ADMINUSER.

    So I came across diskutil apfs listCryptoUsers and saw that admin user is listed here. Using fdesetup remove -uuid $ADMINUSER-UUID exited successfully and now allowed me to remove user $ADMIN through Directory Utility.

  4. Only after that I came across the sysadminctl tool, checked for users on my system with a secure token enabled - and had to realize I just had deleted the only user for which Secure token was ENABLED

So far I have not been able to assign a secure token to neither root nor any other user on my system.

  • I tried sysadminctl -secureTokenOn <user name> -password <password> so far - it wouldn't let me: Operation is not permitted without secure token unlock.
  • Also fdesetup add -usertoadd added_username did result in an error: Unable to add one or more users to FileVault. (-69594)
  • Also I tried to boot in recovery mode, deleted /var/db/.AppleSetupDone using Terminal. Then I booted normally. The setup process started. I was asked to enter details on the new main systems administrator user. After that was completed a GUI popped up and asked for the drives encryption password. I tried several times to enter it but it just was not accepted. No error message nothing, only the GUI popping up again and again.

Any idea how I could enable secure token for any user left on my system without wiping my flash drive and reinstalling everything?

Currently the issue is not very critical since I still have the password initially used for encrypting the whole drive. But I have the feeling that I might come across a situation where this might be a road blocker for normal use of the system (major system update etc.).


MacBook Pro with Retina display, macOS High Sierra (10.13.1)

Posted on


Page content loaded

Nov 19, 2017 4:01 PM in response to propertychangelistener In response to propertychangelistener

As far as I know, there is no way to give someone "back door" decryption rights.

I'm also confused as to your user scenario. You would be far better off keeping an admin capable user and disabling root user. I have yet to find any normal need to enable the root user.

Nov 19, 2017 4:01 PM

Reply Helpful
User profile for user: propertychangelistener

Question: Mac OS X High Sierra 10.13.1: Disk Encryption, No user with secure token activated