I have a FileVault firmware password protected MacBook Air 2015, can I recover the SSD data from it?

[tonmischa]

You are welcome.

I already tried to recover it using an Apple ID, but my relative failed to provide any correct password for the local account, nor any Apple ID linked to that account. In other words, it is a local account without any links to any Apple ID. I logged in the Apple account web and in "my devices", there was no MacBook Air, only an iPhone and an iPad. That is enough to determine that my relative's Apple Account was not linked to that Mac, right?

Unfortunately you have to be logged into the user account to see to what AppleAccount it is linked to.
But please clarify: You logged into which AppleAccount? The one your relative uses for his iPhone and iPad? That's the one password he did remember?

Unless, and I've been helping relatives and friends long enough to experience all kind of plot twists... my relative used a different Apple ID. And doesn't even remember the name, let alone the password.

As a last resort, I would probably ask them to provide all mail adresses they ever used. Then try a "forgot password" on the AppleID site for each of them to find out if any one of them has been ever used to create an AppleAccount.

In case FileVault is disabled, I can, instead of booting normally from the SSD by installing it inside the MacBook which would trigger the Apple Account Password request and that's how far I'd get, plug it in via an USB adapter [...] as a external drive, and explore the folders and stuff from there, right?

Yes. You would probably have to deal with some permission stuff for the user folders, but that is easy to overcome.

In case FileVault is enabled, my relative doesn't remember the pass, let alone a key, already checked the emails, nothing. So until the password is finally remembered somehow, data is lost I guess.

Unless you are willing to pay for the "brute-force attack data recovery offer" (which sounds a little bit shady to me, to be honest), then very likely: yes.

that a good security measurement would be to link the SSD to the motherboard that encrypted the data

Thats what Apple is doing now for the AppleSilicon chips. (Someone tried to soldier the flash cells from one AS chip to another. Did not work.)

so cracking or removing a FW password only means you can save $200-400 in a new motherboard replacement

The FW password was mainly meant to prevent starting up the computer from an external drive or the Recovery Partiton. Which could give access to the internal drive.
You correctly say, that this can be circumvented by simply exchanging the motherboard, so thats why Apple changed that system to what we have now.

 

[tonmischa]

Is this a removable drive or soldered flash chip?

its an M.2 SSD, but with a proprietary connector.

@alexmartinpc : Sorry, I was wrong. You can NOT use a 2.5 -Sata to USB enclosure. (I was probably thinking about a MacMini in that moment.) But you already figured that out for yourself Just posting it here for other readers who might come here in the future...

MacBook Air 13" Early 2015 SSD Replacement

Use this guide to upgrade or replace the solid-state drive in a MacBook Air 13” Early 2015. This MacBook Air uses a proprietary storage drive...

www.ifixit.com

 

[alexmartinpc]

Is this a removable drive or soldered flash chip?

of course removable SSD, the original that comes with mb air 2015

 

[nathansz]

of course removable SSD, the original that comes with mb air 2015

Was easier for me to ask then to look it up

In that case, if you find no other option, you may be able to buy data recovery software for around $100USD that will get all of your files

Most of them have a free trial sufficient enough to see if it can actually recover your data or not

So no risk to try

.....

edit to say after looking that I've used disk drill in the past

not for this exact use case but it might work for you

 

[brilliantthings]

I don't use filevault. I've NEVER used it.
You now understand what kind of problems can result in certain circumstances.

This is only my uneducated guess, but...
Forget it. Don't remember the password?
You're not getting that data back.

This is the truth sadly. Remember it or lose it.

 

[nathansz]

I don't use filevault. I've NEVER used it.
You now understand what kind of problems can result in certain circumstances.

This is only my uneducated guess, but...
Forget it. Don't remember the password?
You're not getting that data back.

to be fair that's how its meant to work

so, if you can't remember a password, don't use file vault

 

[adrianlondon]

For those wondering what would happen if they ever found themselves in a similar situation in future ...

Look up the fdesetup command. Some examples below.

List users who can unlock filevault:
sudo fdesetup list -verbose

You have a recovery key? Check it:
sudo fdesetup validaterecovery

You don't, or the validate fails? Generate a new one:
sudo fdesetup changerecovery -personal

Personally, I don't use nor recommend a firmware password. Filevault is enough for me, as it keeps my data secure. If someone steals my laptop, whether they can re-use it or chuck it in the bin once they find out they can't, I still don't have the laptop.

 

[alexmartinpc]

Was easier for me to ask then to look it up

In that case, if you find no other option, you may be able to buy data recovery software for around $100USD that will get all of your files

Most of them have a free trial sufficient enough to see if it can actually recover your data or not

So no risk to try

.....

edit to say after looking that I've used disk drill in the past

not for this exact use case but it might work for you

Yeah, I know, don't worry.

I can give a try at a recovery software, yeah, but first I wanna check if it's even encrypted or not.

 

[alexmartinpc]

Unfortunately you have to be logged into the user account to see to what AppleAccount it is linked to.
But please clarify: You logged into which AppleAccount? The one your relative uses for his iPhone and iPad? That's the one password he did remember?

I logged into the main and only relative's account via web (chrome), that had an iPhone and an iPad, as expected. So the fact that there was no MacBook Air means there was no link.

I just thought yet of another scenario. What if now magically my relative guesses and correctly logs in another Apple account that is actually linked with the MacBook Air?

In "My Devices", there would be a MacBook Air, but with the original motherboard serial number. Remember now that the original motherboard is broken, and I'm using another one with different hardware (i7, 8GB RAM, 512GB SSD) and different serial number.

Can Apple still recognize that SSD or MacBook Air local account linked to an Apple ID (Apple Account since a few months), or since it's a different serial number, it won't be able to unlock the SSD in this new hardware?

I guess the moment I connect the laptop to internet, Apple should recognize that there's an Apple ID linked to that device, but I don't know how it will deal with the fact that it has a different Serial Number than the one showing all these years.

That's kind of the last question I don't understand... if I plug in the SSD to a random MacBook Air 2015, different HW and SN... how can Apple recover that account password? Via internet, so no matter anything but simply being connected to internet to receive the commands from Apple servers and get unlocked?

 

[MacCheetah3]

I just thought yet of another scenario. What if now magically my relative guesses and correctly logs in another Apple account that is actually linked with the MacBook Air?

In "My Devices", there would be a MacBook Air, but with the original motherboard serial number. Remember now that the original motherboard is broken, and I'm using another one with different hardware (i7, 8GB RAM, 512GB SSD) and different serial number.

Can Apple still recognize that SSD or MacBook Air local account linked to an Apple ID (Apple Account since a few months), or since it's a different serial number, it won't be able to unlock the SSD in this new hardware?

I guess the moment I connect the laptop to internet, Apple should recognize that there's an Apple ID linked to that device, but I don't know how it will deal with the fact that it has a different Serial Number than the one showing all these years.

That's kind of the last question I don't understand... if I plug in the SSD to a random MacBook Air 2015, different HW and SN... how can Apple recover that account password? Via internet, so no matter anything but simply being connected to internet to receive the commands from Apple servers and get unlocked?

The new MacBook Air (i.e., different MBA mainboard) won’t be associated with the family member’s Apple ID because you can’t log into macOS. You need to log into macOS to log into iCloud err an Apple ID on that device. In other words, to register a device to an Apple ID, you must log into your Apple ID/iCloud on that device. Simply connecting the Mac to an Internet connection isn't gong to register it.

If you forgot your Mac login password - Apple Support

If you can’t log in to your Mac user account, try these solutions.

support.apple.com

Forgot your Mac password? Here’s how to reset it

Forgetting your MacOS password is never a great feeling, but there’s a couple of ways you’ll be able to reset this key login info. Here’s a guide to help.

www.digitaltrends.com

 

[alexmartinpc]

The new MacBook Air (i.e., different MBA mainboard) won’t be associated with the family member’s Apple ID because you can’t log into macOS. You need to log into macOS to log into iCloud err an Apple ID on that device. In other words, to register a device to an Apple ID, you must log into your Apple ID/iCloud on that device. Simply connecting the Mac to an Internet connection isn't gong to register it.

No, you misunderstood the situation.

You got a MacBook Air 2015, and you create a password protected local account, then you sign in your Apple ID (so there are 2 accounts already, 2 different passwords) and after that, if you go to Chrome and sign into Apple ID web, check "My Devices", the MacBook Air 2015 will show up there, with one specific serial number... Then you enable FileVault, encrypt data and enable FW password.

Then you swap the motherboard, put that SSD. The FW password will be gone, the MacBook Air will boot normally, you will be asked the local account password, and imagine you don't remember it.

Easy, log into your Apple ID web and recover it from there, as it's linked. HOWEVER, my question is... that MBA in your account has a different serial number, the mobo is different. Would you still be able to use your Apple ID to recover the pass of the local account?

 

[MacCheetah3]

Would you still be able to use your Apple ID to recover the pass of the local account?

No, because as you said, it’s similar to getting a new/another MacBook.

Then you swap the motherboard, put that SSD. The FW password will be gone, the MacBook Air will boot normally, you will be asked the local account password, and imagine you don't remember it.

Easy, log into your Apple ID web and recover it from there, as it's linked.

And that’s my point: it’s not (yet) linked to yours or your family member’s Apple ID because you haven’t logged in to an Apple ID (yet) on that specific MacBook.

I’ll try to explain it another way… If during (initial) setup, you skip the (log into) Apple ID step.

How to Setup iPhone Without Apple ID [2025 Complete Guide]

Want to know how to setup iPhone without Apple ID? This guide provides you with various methods with ease. Reading and choose one that works best for you.

www.fonetool.com

You can still use some functions: check the weather, take photos/video, reminders, etc

However, that device (e.g., iPhone, iPad, Mac) won’t be listed as a device on your Apple account err Apple ID. That is, until you log into iCloud (i.e., Apple ID) in Settings.

 

[alexmartinpc]

No, because as you said, it’s similar to getting a new/another MacBook.


And that’s my point: it’s not (yet) linked to yours or your family member’s Apple ID because you haven’t logged in to an Apple ID (yet) on that specific MacBook.

I’ll try to explain it another way… If during (initial) setup, you skip the (log into) Apple ID step.

How to Setup iPhone Without Apple ID [2025 Complete Guide]

Want to know how to setup iPhone without Apple ID? This guide provides you with various methods with ease. Reading and choose one that works best for you.

www.fonetool.com

You can still use some functions: check the weather, take photos/video, reminders, etc

However, that device (e.g., iPhone, iPad, Mac) won’t be listed as a device on your Apple account err Apple ID. That is, until you log into iCloud (i.e., Apple ID) in Settings.

Interesting... so then my original motherboard actually has a link to the original SSD, which was confirmed as false before (it was clear there was no link and no need of the original motherboard)?

Like... does all of this mean that the only way to recover a user account password via Apple ID, linked to that Apple ID previously of course, is by using the same motherboard it was linked with?

You confirmed that if I plug that SSD into another MacBook Air, since it's a different serial number, it won't no longer show up in "My Devices", and my Apple ID won't longer be able to recover the local user password EVEN though it's the Apple ID linked to that local user.

Yet another twist... then what happens if, like I did, change the motherboard and SSD by new ones, create a local user account and link it to my Apple ID, hence adding that motherboard to "my devices" with its serial number, and then swap the SSD back to the original, and click on recover the local account password?
What would happen then?

 

[antiprotest]

I am trying to follow this thread and I am still confused:

Did the Mac have FileVault (ie Bitlocker in Windows) enabled or not?

 

[MacCheetah3]

I’m seemingly not explaining this well.

Yet another twist... then what happens if, like I did, change the motherboard and SSD by new ones, create a local user account and link it to my Apple ID, hence adding that motherboard to "my devices" with its serial number, and then swap the SSD back to the original, and click on recover the local account password?
What would happen then?

Admittedly, I’m not certain. I’m not privy to exactly how Apple handles it. Put simply, my assumption is the account usernames of registered Macs are (routinely) synced to the Find My service, which would allow you to select which account (password) to reset and (the) Apple (server) to send the proper authentication/request to the Mac.

Ultimately, after you register the/a Mac to the/an Apple ID, you can use the reset via Apple ID feature. However, unfortunately, you’re in that paradox state where to register you need to log in but you can’t log in because you can’t register the Mac.

Does that make anything clearer?
😆 😐

 

[alexmartinpc]

I am trying to follow this thread and I am still confused:

Did the Mac have FileVault (ie Bitlocker in Windows) enabled or not?

I still don't know as I don't have access to it rn. We are also talking in general, or at least I am asking questions about things I want to understand, not necessarily that I will face them. Just out of curiosity.

 

[nathansz]

No, you misunderstood the situation.

You got a MacBook Air 2015, and you create a password protected local account, then you sign in your Apple ID (so there are 2 accounts already, 2 different passwords) and after that, if you go to Chrome and sign into Apple ID web, check "My Devices", the MacBook Air 2015 will show up there, with one specific serial number... Then you enable FileVault, encrypt data and enable FW password.

Then you swap the motherboard, put that SSD. The FW password will be gone, the MacBook Air will boot normally, you will be asked the local account password, and imagine you don't remember it.

Easy, log into your Apple ID web and recover it from there, as it's linked. HOWEVER, my question is... that MBA in your account has a different serial number, the mobo is different. Would you still be able to use your Apple ID to recover the pass of the local account?

You can arbitrarily give an Intel Mac any serial number you want

 

[alexmartinpc]

I’m seemingly not explaining this well.


Admittedly, I’m not certain. I’m not privy to exactly how Apple handles it. Put simply, my assumption is the account usernames of registered Macs are (routinely) synced to the Find My service, which would allow you to select which account (password) to reset and (the) Apple (server) to send the proper authentication/request to the Mac.

Ultimately, after you register the/a Mac to the/an Apple ID, you can use the reset via Apple ID feature. However, unfortunately, you’re in that paradox state where to register you need to log in but you can’t log in because you can’t register the Mac.

Does that make anything clearer?
😆 😐

Mmm... not really, this scenario, which could perfectly be mine, is a yes or no question. As in:

"Yes, IF it is that you had an Apple ID linked to the local account of that SSD, hence linked to the original motherboard and its serial number, you mandatory need that original motherboard to recover the local account password via Apple ID because when you are in the Apple ID web and select "recover this MacBook Air password", it only communicates with the original motherboard"

In which case, the previous statement said here that "there is no linkage between the SSD and the original broken motherboard" would be false.

or...

"No, you can plug the original SSD into any random MacBook Air 2015, connect it to the internet, and then Apple will detect that there's an Apple ID assigned to that SSD's local account, and as long as you have access to that Apple ID, you can recover that password"

It's one of those answers.

 

[alexmartinpc]

You can arbitrarily give an Intel Mac any serial number you want

I don't really know if that's just aesthetic change or not, but that did not answer my question though. Read what you just quoted from me and tell me if you know the answer. Thank you!

 

[nathansz]

Mmm... not really, this scenario, which could perfectly be mine, is a yes or no question. As in:

"Yes, IF it is that you had an Apple ID linked to the local account of that SSD, hence linked to the original motherboard and its serial number, you mandatory need that original motherboard to recover the local account password via Apple ID because when you are in the Apple ID web and select "recover this MacBook Air password", it only communicates with the original motherboard"

In which case, the previous statement said here that "there is no linkage between the SSD and the original broken motherboard" would be false.

or...

"No, you can plug the original SSD into any random MacBook Air 2015, connect it to the internet, and then Apple will detect that there's an Apple ID assigned to that SSD's local account, and as long as you have access to that Apple ID, you can recover that password"

It's one of those answers.

The ssd has no identifier as far as Apple ID is concerned

The motherboard is the component of record

 

[nathansz]

I don't really know if that's just aesthetic change or not, but that did not answer my question though.

It’s not just an aesthetic change

And the machines in an iCloud account are identified by serial number (3 of them really) This is how it relates to you questions

 

[ThailandToo]

Sorry to the OP. Sucks these things happen. What I started doing is probably not secure enough. I started using that long string of code that is the FileVault password and storing it in an encrypted note. Have one note that’s password protected and encrypted for everything. Now, when I started it I didn’t specify exactly what password was for what Mac. For example I would write 15” MBP FileVault. But usually going through three or four of them I could get into a device if I had to. The other thing I did before that was took a photo of it. Not very secure. I spent two weeks going into my old photos libraries like in before iCloud and found a code I had done that for that has bitcoin on it. Worth the trouble at BTC $5 vs BTC $65k. It happens. I think the big thing is to remember there always needs to be a place can go to recover data and even hard copies of things which is less secure but losing data forever is worse if you live life by the book.

 

[alexmartinpc]

The ssd has no identifier as far as Apple ID is concerned

The motherboard is the component of record

Okay, so you are saying this is the correct statement?

"IF it is that you had an Apple ID linked to the local account of the original SSD, hence linked to the original motherboard and its serial number, you mandatory need that original motherboard to recover the local account password via Apple ID because when you are in the Apple ID web and select "recover this MacBook Air password", it only communicates with the original motherboard"

In other words, without the original motherboard (it's broken), you can not recover the local account password via Apple ID?

 

[MacCheetah3]

The ssd has no identifier as far as Apple ID is concerned

The motherboard is the component of record

Okay, so you are saying this is the correct statement?

"IF it is that you had an Apple ID linked to the local account of the original SSD, hence linked to the original motherboard and its serial number, you mandatory need that original motherboard to recover the local account password via Apple ID because when you are in the Apple ID web and select "recover this MacBook Air password", it only communicates with the original motherboard"

In other words, without the original motherboard (it's broken), you can not recover the local account password via Apple ID?

As @nathansz stated, the storage device doesn’t matter. Presumably, here’s all of what Apple’s servers need to know (with example):

Account > Device > Username
----------------------------------
johnny5@icloud.com > John’s MacBook Air > john
jane99@icloud.com > John’s MacBook Air > jane

So, if John needs to reset his macOS account password, he logs in iCloud, selects his MBA, then selects his username and follows the instructions to create a new password.

 

[nathansz]

Okay, so you are saying this is the correct statement?

"IF it is that you had an Apple ID linked to the local account of the original SSD, hence linked to the original motherboard and its serial number, you mandatory need that original motherboard to recover the local account password via Apple ID because when you are in the Apple ID web and select "recover this MacBook Air password", it only communicates with the original motherboard"

In other words, without the original motherboard (it's broken), you can not recover the local account password via Apple ID?

Mostly yes

It MAY BE possible, if you know the serial number and other identifiers of the original machine to assign then to a different motherboard and reset it that way

I don’t know if that would work but it would be worth a try if you happened to know those identifying numbers

But if you don’t know the password I’m guessing you don’t know those