In a previous blog post, I wrote about Why you should use FileVault personal recovery keys instead of institutional recovery keys.
If you have a personal recovery key, this is how you can use it to unlock a FileVault-encrypted machine that’s been reboot (useful for organizations that doesn’t have their local admin accounts as FileVault-enabled ones) or how you can use it to reset a user’s forgotten password. The steps for both procedures are very similar and differ only at the very end.
When you boot up the Mac and get to the FileVault prompt for the user, click the question mark button next to the password field.
Then, click the arrow next to If you forgot your password, you can reset it using your Recovery Key.
You’ll then be prompted to enter your recovery key.
Go ahead and enter the recovery key when prompted. It won’t be the one you see in the screenshot. It’ll be one that you have escrowed somewhere (Crypt Server, your MDM, MunkiReport, etc.). And, don’t worry—that recovery key is for a VM’ed Mac, and I rotated the key to be a new one anyway.
Wait for macOS to boot up.
At this point, the procedures for “unlock a machine that you want to reboot but don’t know the user password to” and for “user has forgotten her password and needs a new one” diverge.
If the user has forgotten her password, have her simply enter a new password, verify it, and then click Reset Password.
If you just wanted to unlock the encrypted computer so you can log into another account (e.g., local admin that isn’t a FileVault-enabled user), click Cancel, and you can log into another account on the computer.