To improve the security of all your data in your MacOS at rest, the FileVault will be the best option. It can easily be understood to be the full-disk encryption (FDE), which means that your startup volume will be locked when you shut down your Mac macOS (not sleeping) with the strong encryption. Without the password, if you use an account on your Mac, which is authorized to log in with FileVault, there’s no way to bring the device back to work.
FileVault might be a pretty great security option. But imagine that in case you forget the password of all the authorized accounts, or you received some emails about something going wrong and the Recovery Disk used both the “cold start” logins to your macOS and to diagnose issues on the startup volume, demanding a login won’t work.
If you are in those cases, the recovery key that you set when activating the FileVault on your MacOS can be the last resort. But a long time has passed, you might have forgotten the file you saved the key or how to regain it.
It is a real problem with the security options reliable enough that you no need to work with them regularly. That’s why Apple required users to enter the passphrase every six days two years ago, even if users enabled Touch ID.
For the first time you set up FileVault in the Security & Privacy system pane from the FileVault tab, there will be one step that asks you if you want to use your iCloud account as n option to unlock the disk and reset your account password in case you are not able to find the recovery key. You can choose to store the recovery key as part of your iCloud account in order to reset the password.
Also read: How to Create an Encrypted Disk Image on Mac
If you select iCloud, instead the recovery key is saved in iCloud Drive, it will be tied into the account information, which is maintained by Apple. However, you should not worry the recovery key can be accessed since it’s fully encrypted and Apple even cannot get the access to the unencrypted recovery key. But if you want to reset your password, the company can send the encrypted recovery key to your device. You will not see the recovery key or don’t have to type it in this configuration. Apple detailedly describes it in the “Reset using the Reset Password assistant” section in this support document.
If you select the other path, where FileVault needs to generate a recovery key and show it up, you should ensure to write it down or enter it electronically, and save it in such a way that you can access when your Mac is not booted. We recommend you to choose the storage method that’s reliable, secure and accessible like 1Password’s secure notes.
It’s very important to set a reminder to look for your recovery key (or other passwords and keys that you stores in the same place). If you are not able to find it, simply switch FileVault off in your macOS and then enable it again. The process will take a few minutes since it must decrypt then re-encrypt the entire drive. However, your MacOS will then generate a new recovery key and you should then note it again more carefully. With each of the above cases, if you are not able to sign into iCloud or lose the recovery key, your Mac’s files will also be lost forever without irretrievability.