You’ve just finished upgrading to the latest macOS version, but there’s a major problem: you can’t log in. You’re certain you’re typing the right password, but your Mac won’t accept it, leaving you stuck on the login screen.
If you use Apple’s FileVault to encrypt your hard drive, you’ve likely run into a known issue that can occur with major macOS updates. When FileVault is active during the upgrade, it can sometimes prevent your user password from being recognized correctly.
Don’t panic. There is a direct solution to this problem, but it requires using the Terminal in Recovery Mode. This guide will walk you through every step needed to decrypt your drive and regain access to your Mac.
Disclaimer: This is an advanced fix. Please follow the steps carefully. The process is safe, but it’s always wise to have a backup of your important data if possible.
Before You Begin: The One Thing You Absolutely Need
The entire recovery process depends on you knowing your passphrase. For most users, this is simply your regular user account password that you use to log in. Make sure you have it ready.
The Step-by-Step Guide to Decrypting Your Drive
You’ll need to reboot your Mac into Recovery Mode to get started.
- For Apple Silicon Macs (M1, M2, M3, etc.): Shut down your Mac. Press and hold the power button until you see the “Loading startup options” screen. Select “Options,” then click “Continue.”
- For Intel-based Macs: Shut down your Mac. Turn it on and immediately press and hold Command (⌘) + Runtil you see the Apple logo or a spinning globe.
Once you’re in the macOS Utilities window, navigate to the top menu bar, click Utilities, and select Terminal.
Now, carefully follow these commands.
Step 1: Find Your Encrypted Data Volume
First, list all the available disks to find the identifier for your main data partition.
Bash
diskutil apfs list
Look through the output for the APFS Volume associated with your macOS installation. It will often be named something like Macintosh HD - Data. More importantly, you need to find two things:
- The line
FileVault: Yes (Locked) - Its identifier, which will look like
diskXsY(e.g.,disk3s5).
Remember this identifier, as you will need it for all subsequent commands.
Step 2: Unlock the Volume
Now, use the identifier you found to unlock the drive. Replace diskXsY with your specific identifier.
Bash
diskutil apfs unlockVolume /dev/diskXsY
The system will prompt you to enter your passphrase. This is your user account password. If successful, you’ll see a message confirming the volume is now unlocked and mounted.
Step 3: Find Your User’s UUID
Next, you need to get the unique ID for your user account on the encrypted volume.
diskutil apfs listcryptousers /dev/diskXsY
You’ll see a list of cryptographic users. Note the long alphanumeric string next to “Local User” – this is your user UUID.
Step 4: Start the Decryption
It’s time to begin the main process. In the command below, replace diskXsY with your volume identifier and UUID_OF_LOCALUSER with the actual UUID you copied from the previous step.
diskutil apfs decryptVolume /dev/diskXsY -user UUID_OF_LOCALUSER
Enter your passphrase one last time when prompted. Terminal will confirm that the decryption process has started in the background.
Step 5: Check the Decryption Progress
To see how the decryption is going, run the list command again.
diskutil apfs list
Look for your volume and you should see a progress percentage, such as
Decryption Progress: 15.0%.
Pro-Tip: Watch the Decryption Live To avoid having to manually run the command over and over, you can use this handy command to get a live, updating view of the progress.
Just remember to replace diskXsYwith your identifier.
while true; do diskutil apfs list | grep -B2 -A6 diskXsY; sleep 1; printf "\033"; done
To stop it, press Control + C.
Is this process safe? Will I lose my data?
This process is generally very safe. The diskutil command is a standard macOS tool, and decryption is a routine function. It is designed to remove the encryption layer without erasing your files or applications. However, as with any major system procedure, there is always a minimal risk. This is why we strongly recommend having a backup of your critical data before you begin, just in case.
Which password is the ‘passphrase’? Is it my Apple ID password?
The ‘passphrase’ is the password you use to log in to your user account on the Mac. It is not your Apple ID or iCloud password, unless you happen to use the same password for both.
How long does the decryption process take?
The time can vary significantly based on several factors:
Drive Size: Larger hard drives take longer.
Data Amount: The more data you have, the longer it takes.
Drive Speed: Decryption is much faster on modern SSDs than older hard disk drives (HDDs).
It could take anywhere from 30 minutes to several hours. The “live monitoring” command in the guide is the best way to keep an eye on the progress.
It worked! Should I turn FileVault back on now?
If Hackintosh. NO if Real Mac, Yes, we highly recommend it. First, restart your Mac and ensure you can log in and that everything is working as expected. Then, go to System Settings > Privacy & Security > FileVault and turn it back on. FileVault is a crucial security feature that protects the data on your drive if your Mac is ever lost or stolen.
Why does this login issue happen in the first place?
During a major macOS upgrade, the system has to update the components that manage startup and security. Occasionally, the link between your user password and the FileVault encryption “key” can be misaligned or corrupted in this process. Decrypting the volume removes this broken link, allowing you to regain access. When you re-enable FileVault later, you create a fresh, correct link.
I got an error like “No such file or directory.” What did I do wrong?
This type of error almost always points to a typo. The most common mistakes are:
Incorrect Disk Identifier: Double-check that you are using the correct identifier (diskXsY) that you found in Step 1. It’s very easy to mistype a number.
Typo in the Command: Carefully re-read the command you typed and compare it to the one in the guide.
Can I stop the decryption process halfway through?
It is not recommended. If you stop the process, your drive will be left in a partially encrypted state, and you still won’t have fixed the login problem. It’s best to let the process complete fully. If the process is interrupted by a crash or reboot, follow the “Troubleshooting” steps in the guide to resume it.
Troubleshooting: What If My Mac Crashes During Decryption?
System crashes are rare, but if your Mac reboots in the middle of this process, don’t worry. The decryption is likely just paused.
- Reboot back into Recovery Mode and open Terminal.
- Run
diskutil apfs listand check the status of your volume. You should see that the decryption is “Paused.” - Unlock the volume again using the command from Step 2:
diskutil apfs unlockVolume /dev/diskXsY. - Run
diskutil apfs listonce more. In most cases, the decryption will automatically resume. - If it doesn’t resume, open a new, separate Terminal window (leave the first one open) and run this command:
/usr/libexec/apfsd. This should kickstart the process, and you’ll see the progress begin to tick up again.
Once the decryption is 100% complete, you can restart your Mac from the Apple menu. You should now be able to log in with your password as usual. After confirming everything works, you can choose to re-enable FileVault in System Settings > Privacy & Security.
