Cannot switch off File Vault using admin account - "Account cannot be used to manage encryption"

I had this same, incredibly frustrating problem. Thankfully the solution that worked for me is very simple.

first, create a new user, make sure it's an admin user. give it a password. log out of your old user, log into your new user, and then reset the password of your old user. make sure you pick a different password than you have now.

be aware that keychain will still use your old password, so don't forget it just yet.

Log out of your new user, log into your old user. voila, that user now has the securetokenon flag set. you can now disable Filevault.

be aware than when you lock back into your old user, iCloud, keychain, and all your email accounts will require you to log back in. this is a security measure to prevent unwanted access to your secure iCloud contents. you will have to enter your iCloud/apple account password several times. this is normal behavior.

when keychain asks for your password, it will be the password your old user had before you reset it.

My experience with this was on High Sierra- after a time machine restore. I'm not certain what else could fix this, unfortunately, except for a full reinstall, and not a time-machine-restore but a time-machine-migration at the initial setup screen.

Ran into this problem this morning too. Brand new mac, straight out of the box from the Apple Store, bought a week ago.

Just trying to turn on Filevault. I created an Admin user (let's call it CompanyAdmin) and then logged that user out. Then I created another user (Susie) and made her Admin. While logged in as Susie I can't enable file vault.

When I log back in with CompanyAdmin, I can turn it on file. Just can't do it when I'm logged in with Susie. Functionally, it's the same because when I'm logged in as CompanyAdmin and setting up FileVault, I have the option to check a box on Susie's name and enable her so she can log in with her own username and password to unlock the account.

Appears to be yet another bug in High Sierra. I have set up hundreds of computers with Filevault and you were always able to turn it on with a second Admin account.

I tried Livingroom's solution, but unfortunately it didn't work. The "cannot be used to manage encryption on this Mac" error message continues to appear.

I suspect that in my case, and perhaps many others', the problem originated with the fact that when I used a bootable High Sierra installer to format a new SSD so that I could install High Sierra onto it, I formatted it as "APFS (Encrypted)" rather than simply "APFS". That means the newly-created APFS volume was encrypted in a context where users that would exist on the new volume hadn't been created yet. I expect that if I had formatted the SSD without encryption, then installed the OS, then booted from the new drive, and only *then* encrypted the volume by turning on FileVault, I would not be having this issue. (The real problem I'm trying to solve is that when booting from the new volume, it's no longer possible get to the user login screen without *first* having to separately type in the "Disk Password", as opposed to my user login automatically unlocking the disk without requiring me to type two different passwords.)

I'm not entirely sure whether to think of this situation as a "bug" in High Sierra, or the unanticipated but predictable result of encrypting an intended APFS boot volume from within a user session that was booted from a *different* volume. I hope that Apple, or some clever expert, comes forward with a solution that doesn't require reformatting the targeted drive *without* encryption and then either restoring from backup or starting over.

Good news! I think I found a solution:

(1) Boot the Mac from any volume containing an APFS-aware version of macOS (that is, Sierra or High Sierra) other than the subject volume (the one you're trying to remove the encryption from). It doesn't matter whether or not the volume you boot from is itself formatted in APFS.

(2) Log in if necessary, and make your way to the Terminal. (If you've booted using a Recovery volume or a macOS installer volume, you can find Terminal in the "Utilities" menu.)

(3) In Terminal, enter the following command: diskutil apfs list

(4) In the displayed results, look for the name of the subject volume, and make note of its disk identifier string, which should be in the format disk#s# (where "#" represents a numeral).

(5) In Terminal, enter the following command: diskutil apfs unlockVolume disk#s# (substituting the disk identifier string for the subject volume). When prompted, type in the volume's "Disk Password" (encryption key).

(6) In Terminal, enter the following command: diskutil apfs decryptVolume disk#s# (substituting the disk identifier string for the subject volume). When prompted, type in the volume's "Disk Password" (encryption key).

If all is well, you will see a message indicating that decryption of the subject volume has begun. If so, it's just a matter of waiting for the process to complete, which may take several hours. If you wish, you can immediately restart the Mac and boot up the subject volume. You will be asked once more to provide the Disk Password before you can log in. After logging in, open System Preferences > Security & Privacy > FileVault. You should see the label "Decrypting..." next to a progress bar with an estimated time remaining to complete the decryption task. Once it's completed, you should be able to re-enable FileVault from the same prefpane, and *this* time your admin-privileged account will be able to administrate FileVault properly, including the ability to log in at startup without separately providing the Disk Password first.

Give this a try and let me know how it goes for you!

I believe the answer is no, there is no difference in the resulting drive security. The only functional difference appears to be that if you're going to be booting macOS from the drive in question, you will only be able to integrate the disk password into your user login if you set up the encryption via FileVault. If you apply encryption at the time the disk is formatted, this won't be possible, meaning you'll be forced to enter the disk password separately during the boot process, before you reach the user-login screen.

For evidence, I would call your attention to the way that the output of the "diskutil apfs list" command is formatted. The fifth line of information printed beneath each APFS Volume indicates whether the volume is encrypted, and if so, whether it's presently unlocked (i.e. the necessary credentials have been supplied so that the encrypted content of the volume is accessible). The *label* at the left end of that line is not "Encypted:" or "Encryption:" — it's "FileVault:". This is true regardless of whether the encryption was applied at formatting, or later using the FileVault prefpane. Provided that the underlying filesystem is indeed APFS, there is no difference in the encryption itself!

you need to log in as the primary user not admin.

This trick worked for me. Thanks!

Thanks for the (very detailed) post, but this didn't work for me. D'you know if anyone has tried this after upgrading to High Sierra?

What if there is only one user and it still isn't working? How can the primary user be determined?

I also encrypted my drive as "APFS (Encrypted)".

Is there a difference between formatting a drive as APFS (Encrypted), or formatting it as APFS and then encrypting it with FileVault later? Is there a difference in the resulting drive security?