Typically, to find out of if a user account on a Mac has a secure token, you run a command like
sysadminctl -secureTokenStatus username
Where username is the username of the account you’re checking for a secure token.
Several folks on the MacAdmins Slack have mentioned that the most accurate way to get the secure token users is to use
diskutil apfs listCryptoUsers /
Cryptographic users for disk1s5s1 (2 found)
| Type: Personal Recovery User
Type: Local Open Directory User
dscl . -search /Users GeneratedUID EA93MFB0-AA30-123B-99E8-80B8C109F1E7
nameofauseraccount GeneratedUID = (
Incidentally, even though people usually use
listCryptoUsers, there are several other parameters that return the exact same result. From
listCryptoUsers | listUsers | listCryptoKeys | listKeys
Show all cryptographic users and special-purpose
(e.g. recovery) "users" (keys) that are currently
associated with the given APFS Volume, each by
their Cryptographic User UUID and usage "type".
The usual purpose of an APFS Cryptographic User is
to authenticate for unlocking its APFS Volume; any
of its users can do so.
An APFS Volume need not be encrypted in order to
contain crypto users; indeed, other than the Disk
User, they should be added before encrypting.
Types of Cryptographic Users include at-most-one-
per-Volume "Disk" user, whose UUID value always
matches its Volume's UUID; iCloud or personal
"Recovery Keys", which are not users per se, but
instead store partial crypto keys and are associ-
ated with corresponding "Recovery Users" and have
fixed-constant UUID values; and "Open Directory"
users, whose UUID values match corresponding local
macOS Open Directory account user GUIDs.
If -plist is specified, then a property list will
be emitted instead of the normal user-readable out-
I’ve tested those manually, and they do indeed return the same results as
If you want a script that gets the crypto users and their respective usernames, I wrote one up on Python: ListCryptoUsers.py. I think others may have scripts written in bash or zsh, too. Edit: here’s one, for example.
One response to “Using diskutil to find secure token users on a Mac”
You could also use:
sudo fdesetup list -extended
which will also show the Type and the username for the secure token.