Several readers have asked recently about what to do with systems they’ve purchased, inherited, or were given to them that were protected by FileVault and the original owner can’t recall or provide the password.
FileVault protects in two parts: You know the first, which is that while a Mac is at rest (that is, powered down), its startup drive remains strongly encrypted, so even if the data is extracted, it’s unusable to another party.
But it also protects the startup process. Because the disk is encrypted, macOS can’t boot into your main system on the startup volume. Instead, it boots a special part of the Recovery Disk, a partition you normally use for emergencies. That boot process presents a login screen that looks similar to the main macOS login, but only contains accounts that have FileVault-access enabled.
Behind the scenes, after you enter the password correctly for one of those accounts, macOS decrypts the volume encryption key and passes the boot to the startup partition along with the affirmation that you’ve logged in correctly.
You can recover a lost FileVault password or erase a FileVault drive, losing everything but regaining the ability to use the system.
(Now if I were suspicious, I’d wonder if the emails I’ve received were from people who had obtained systems illegitimately, and were trying to crack into them or reformat a system that they’d potentially obtained through another party who might not have had full authority to give it to them.(The article continues...)