What is a Secure Token and how do I get an admin users that has one

I have an iMac 2017 with a FusionDrive on which FileVault cannot not be enabled. The situation is summed up in this reddit post. The problem boils down to: I have no admin user who has a secure token and it seems like I cannot get one. This can be confirmed by running:

sysadminctl interactive -secureTokenStatus USER_NAME

for every user. It always comes back with

Secure token is DISABLED for user USER_NAME

The first setup from factory settings did not result in a user with a Secure Token, and I tried to:

  • Delete /var/db/.AppleSetupDone to setup a new admin account. Result: A new admin account that slo does not have a token.
  • Reinstall MacOS High Sierra: First created admin user does not have secure token.

It seems that this is either intentional (because of the Fusion Drive?) or a bug in High Sierra. With exactly the same procedure on a Macbook Pro 2017 I get an admin user with a Secure Token and that user can manage FileVault and give secure tokens to other users.

Since I want to use FileVault, I also tried to reformat the main disk with an encrypted file system, reinstalling MacOS and restoring from time machine backup. This worked, FileVault is enabled, but now I have to enter the disk password every time the computer boots (before the login screen). I don't want this, I want to unlock the disk with a user password.

What can I do to get an admin user with a secure token?


Solution 1:

Just migrated to a new 2018 MacBook Pro, and somehow my original account (an admin user) was created without a secure token during the migration. I even tried creating a new admin user, logging into that user and trying to run sysadminctl -secureTokenOn justin -password - but getting:

2018-07-30 14:17:56.552 sysadminctl[886:18232] Operation is not permitted without secure token unlock.

So then I tried the following providing adminUser and adminPassword flags as my original user justin:

sysadminctl -secureTokenOn justin -password - -adminUser justin -adminPassword -

Enter password for justin :

Enter password for Justin K :

2018-07-30 14:31:05.262 sysadminctl[998:49031] setSecureTokenAuthorizationEnabled error Error Domain=com.apple.OpenDirectory Code=5101 "Authentication server refused operation because the current credentials are not authorized for the requested operation." UserInfo={NSLocalizedDescription=Authentication server refused operation because the current credentials are not authorized for the requested operation., NSLocalizedFailureReason=Authentication server refused operation because the current credentials are not authorized for the requested operation.}

Essentially it seems since non of my users have a secure token, there is no way to grant a secure token. The only downfall is the following:

  • When I cold start the machine I have to enter a disk decryption password, which results in entering my password twice (once for disk decryption and once for the user account).

  • When I try to turn off FileVault by clicking the button nothing happens. The same behavior when clicking the warning button "Some users are not able to unlock the disk [Enable Users...]" nothing happens.

enter image description here

Solution 2:

It does seem you've come across a bug, since you should be granted a secure token when…

  1. Secure Token is automatically enabled for the user account created by Apple’s Setup Assistant.
  2. The Setup Assistant-created user account with Secure Token then creates other users via the Users & Groups preference pane in System Preferences. Those accounts get their own Secure Token automatically.

Secure Token and FileVault on Apple File System - Der Flounder

To manually grant a secure token, run

sysadminctl -secureTokenOn yourusername -password -

where yourusername is the username of the user you wish to grant a secure token to. Don't forget the hyphen at the end too! Don't use sudo.

You'll first be prompted to ‘unlock’ Users & Groups preferences by providing administrator credentials to the GUI dialog, then you'll be prompted for the password to the account you wish to give a token to on the CLI.

Solution 3:

I found myself in this situation. I think this was because I did a clean OS install while FileVault was enabled, so the users weren't migrated.

Accordingly, System Preferences complained "Some users are not able to unlock the disk" but clicking "Enable Users" did nothing, sysadminctl -secureTokenStatus jrc (my main user) said "DISABLED", and sysadminctl -secureTokenOn ... was useless.

A clue came from the fact that fdesetup list -extended reported a "Unknown User" entry. So I solved the problem by creating a new user, changing the UUID of that user to that of the unknown user, and using that new user to fix up my existing user. This required a trip to recovery mode (or single user mode) as the Directory Services store is protected by System Integrity Protection (SIP).

  1. Note the UUID of the unknown user(s) reported from sudo fdesetup list -extended.
  2. In System Preferences > Users & Groups, create a new administrator user (named admin in this example) using the same password as your main user account.
  3. Boot into Recovery Mode and changing the GeneratedUID of the newly created user to match the above UUID. This can be done by opening Utilities menu > Terminal in Recovery Mode, then running dscl -f "/Volumes/Macintosh HD/var/db/dslocal/nodes/Default" localonly -changei /Local/Default/Users/admin GeneratedUID 1 5BBB4CE0-FEC9-4922-A456-5FE00534C065. Substitute your volume name, username, and UUID as appropriate. Everything is case-sensitive.
  4. Reboot normally. sysadminctl -secureTokenStatus admin should now report "ENABLED". (Yay!)
  5. sudo fdesetup add -usertoadd jrc. When prompted, enter the credentials of the above admin user.
  6. Finally, run diskutil apfs updatePreboot / to fix up the boot graphics.

Some related links that I found helpful:

  • https://carpeaqua.com/2017/11/30/updating-your-apfs-encrypted-volume-filevault-password/
  • https://derflounder.wordpress.com/2019/02/10/re-syncing-local-account-passwords-and-secure-token-on-filevault-encrypted-macs-running-macos-mojave/

Solution 4:

I was able to make this work. First, diagnoze that you have the same issue. Run:

sysadminctl -secureTokenStatus <username>

If it shows "secure token disabled," and you have no other users on the system that have it enabled, you need to go through this dance.

Force the Apple Setup wizard to run on your next install by running:

sudo rm /var/db/.AppleSetupDone

And restart your computer. After the restart finishes, log in as this new admin and create a new admin user; with that user, go to Settings | Security & Privacy | File Vault, and grant your actual user the privileges to unlock the file system. Run this again, it should now say enabled for your actual user:

sysadminctl -secureTokenStatus <username>