Question: Mac OS X High Sierra 10.13.1: Disk Encryption, No user with secure token activated
I have the following situation on my MacBook Pro 13" 2017 and did not yet find an appropriate solution:
- I have installed Mac OS X High Sierra 10.13.1 from a bootable USB drive using the official installer app from the Mac App Store
- During installation I chose to assign my total Flash Drives capacity to one APFS Case-sensitive, encryptet container. During this process I had to assign a password for disk encryption
- I created the user $ADMINUSER during installation process as the main administrator
- Now I activated the root user via Directory Utility and I added another standard user
- In the end I wanted to delete the initial admin user since I now had activated the root user. First it wouldn't let me neither through Directory Utility nor through dscl . delete /Users/$ADMINUSER.
So I came across diskutil apfs listCryptoUsers and saw that admin user is listed here. Using fdesetup remove -uuid $ADMINUSER-UUID exited successfully and now allowed me to remove user $ADMIN through Directory Utility.
- Only after that I came across the sysadminctl tool, checked for users on my system with a secure token enabled - and had to realize I just had deleted the only user for which Secure token was ENABLED
So far I have not been able to assign a secure token to neither root nor any other user on my system.
- I tried sysadminctl -secureTokenOn <user name> -password <password> so far - it wouldn't let me: Operation is not permitted without secure token unlock.
- Also fdesetup add -usertoadd added_username did result in an error: Unable to add one or more users to FileVault. (-69594)
- Also I tried to boot in recovery mode, deleted /var/db/.AppleSetupDone using Terminal. Then I booted normally. The setup process started. I was asked to enter details on the new main systems administrator user. After that was completed a GUI popped up and asked for the drives encryption password. I tried several times to enter it but it just was not accepted. No error message nothing, only the GUI popping up again and again.
Any idea how I could enable secure token for any user left on my system without wiping my flash drive and reinstalling everything?
Currently the issue is not very critical since I still have the password initially used for encrypting the whole drive. But I have the feeling that I might come across a situation where this might be a road blocker for normal use of the system (major system update etc.).
MacBook Pro with Retina display, macOS High Sierra (10.13.1)