Unlock or decrypt your FileVault 2-encrypted boot drive from the command line
In addition to using Disk Utility, you can also use the command line to unlock or decrypt a FileVault 2-encrypted drive. In order to make sure it all works, I recommend that you use the Recovery HD partition or the Recovery HD partition cloned onto an external drive. See below the jump for the procedure.
To start with, you will need to identify the Logical Volume UUID of the encrypted drive using the diskutil corestorage list command:
diskutil corestorage list
Running that command will give you a listing of all Core Storage volumes. To help identify what you’re looking for, I’ve highlighted the UUID of the encrypted drive in this example:
Once you have the UUID, you can then either unlock or unencrypt the encrypted volume using the following commands.
Using the password of an authorized account on the command line
To unlock: diskutil corestorage unlockVolume UUID -stdinpassphrase
The -stdinpassphrase flag will cause the command to prompt you for the password/passphrase of an account that’s authorized to unlock the encryption.
If successful, the drive will unlock and mount. You should see output similar to that shown below.
Once you’ve unlocked the disk, you can then revert it back from being an encrypted volume.
To decrypt: diskutil corestorage revert UUID -stdinpassphrase
You’ll be prompted for the password/passphrase of an account that’s authorized to unlock the encryption. Once provided, decryption of the encrypted volume will begin.
To track its progress, you can use the diskutil corestorage list command. To help identify the decryption status, I’ve highlighted the relevant sections to check in the list.
Once the drive has been completely decrypted, it will no longer be listed as a CoreStorage volume by diskutil corestorage list. In Disk Utility, it should appear as a normal hard drive.
Using the FileVault 2-generated individual recovery key on the command line
If you don’t have the password of any of the authorized accounts and you are not using an institutional recovery key with FileVaultMaster.keychain, you can use the FileVault 2-generated individual recovery key instead. The commands are mostly the same, but instead of using the -stdinpassphrase flag, you instead use -passphrase and enter the recovery key.
To unlock: diskutil corestorage unlockVolume UUID -passphrase recoverykey
If successful, the drive will unlock and mount. You should see output similar to that shown below.
Once you’ve unlocked the drive, you should also be able to unencrypt it using this command: diskutil corestorage revert UUID -passphrase recoverykey
Using FileVaultMaster.keychain on the command line
At this time, it’s only possible to unlock or decrypt from the command line if you’re using a institutional recovery key that’s been set with FileVaultMaster.keychain. Here’s how you can unlock the encryption using an institutional recovery key with FileVaultMaster.keychain:
1. Copy your FileVaultMaster recovery keychain from the safe place your institution stored it in to a drive that you can access from Recovery HD.
2. Boot to the Recovery HD partition or the Recovery HD partition cloned onto an external drive.
3. Get the Logical Volume UUID of the encrypted drive by running diskutil corestorage list.
4. With the UUID information acquired, run the following command to unlock the FileVaultMaster.keychain:
security unlock-keychain /path/to/FileVaultMaster.keychain
Once this command is run, you’ll need to enter your institution’s Master Password when prompted. If the password is accepted, you’ll be taken to the next prompt.
5. Run the following command to unlock the encrypted Core Storage volume on the encrypted Mac:
diskutil corestorage unlockVolume UUID -recoveryKeychain /path/to/FileVaultMaster.keychain
6. You should then see output similar to the following:
Started CoreStorage operation
Logical Volume successfully unlocked
Logical Volume successfully attached as disk4
Logical Volume successfully mounted as /Volumes/Macintosh HD
Core Storage disk: disk4
At this point, with the disk unlocked and mounted, you should be able to recover your data using whatever tools you prefer.
Once you’ve unlocked the disk, you can also then decrypt the encrypted volume by running the following command:
diskutil corestorage revert UUID -recoveryKeychain /path/to/FileVaultMaster.keychain
Once it’s decrypted, you should have full access to your hard disk’s data.
Aww, the images, they be broken…
The images are loading for me. Please try reloading the page (or viewing from a different browser) and see if they’re showing up now.
Whoops, yes they’re loading for me now too. Weird.
Hi,
I am trying to decrypt the Filevault 2 volume. When I run “diskutil cs list”, it shows Logical Volume Group and Physical Volume UUID but it does not shows “Logical Volume UUID”…
sh-3.2# diskutil cs list
CoreStorage logical volume groups (1 found)
|
+– Logical Volume Group 237C72C9-59A0-4AA5-8FD2-D628B88B0E0F
=========================================================
Name: Mac OS X Lion
Sequence: 1
Free Space: 0 B (0 B)
|
+-< Physical Volume 7818D8D6-0DC0-48CC-B9B1-D7DB85DC3D99
—————————————————-
Index: 0
Disk: disk0s5
Status: Failed
Size: 278845444096 B (278.8 GB)
I am not able to find Logical Volume UUID… The filevault 2 enabled partition stopped booting suddenly …
Any ideas?
Thanks & Regards,
Karthikeyan
Karthikeyan,
From the diskutil output you’ve posted, it appears that your hard drive is having a problem. Is the FileVault 2 partition on its own separate hard drive, or is it on the same physical hard drive as another partition that’s working fine?
If the FileVault 2 partition is the only one on the hard drive, the drive may be suffering a hardware failure.
I have three partition on a single hard drive. The remaining two partition works fine. Filevault2 partition is on the same hard drive thats working fine.
sh-3.2# diskutil list
/dev/disk0
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *500.1 GB disk0
1: EFI 209.7 MB disk0s1
2: Apple_HFS Data 210.4 GB disk0s2
3: Apple_Boot Recovery HD 650.0 MB disk0s3
4: Apple_HFS Mac OS X Install ESD 9.2 GB disk0s4
5: Apple_CoreStorage 278.8 GB disk0s5
6: Apple_Boot Recovery HD 650.0 MB disk0s6
sh-3.2#
disk0s5 is the hard drive encrypted with Filevault2.
The Scenario happened was ” I created a standard user and rebooted the mac. Then I tried logging in directly from Standard user. It showed “No Parking Symbol error” after the apple logo. Then I rebooted the mac and logged in with Filevault enabled user but again the machine shows the same error after the apple logo…
Hi Karthikeyan ,
Were you able to solve your problem? as I am having the same problem and I really need to save my data . Thanks in advance.
Karthikeyan,
Unfortunately, I don’t have a good answer here. One thing that you may want to try (if you have not already) is running the following command to see if it can fix the partition:
sudo diskutil repairVolume disk0s5
If that doesn’t work, you’ll likely need to go to your backups.
I am getting many error. Is there any way to convert physical volume to logical volume in CoreStorage?
Thank you so much, rtrouton! I tried to convert an external drive to Core Storage and it seemed to be stuck at “Status: Checking”, with only a Logical Volume Group and a Physical Volume listed by diskutil cs list. So, no Logical Volume Family or Logical Volume. I already thought about erasing the disk, but
diskutil repairVolume
(where is a volume ID for the partition of type Apple_CoreStorage, such as disk0s5) triggered the actual conversion process. It immediately asked for the passphrase, and both the LVF and the LV are listed.
(Sorry, the first time I tried to post this I used angled brackets, which were filtered out)
Thank you so much, rtrouton! I tried to convert an external drive to Core Storage and it seemed to be stuck at “Status: Checking”, with only a Logical Volume Group and a Physical Volume listed by diskutil cs list. So, no Logical Volume Family or Logical Volume. I already thought about erasing the disk, but
diskutil repairVolume diskXsY
(where diskXsY is a volume ID for the partition of type Apple_CoreStorage, such as disk0s5) triggered the actual conversion process. It immediately asked for the passphrase, and both the LVF and the LV are listed.
Karthikeyan,
At this point, you may want to try booting from one of your Recovery HD partitions and see if you can use Disk Utility to unlock the encrypted volume then repair it. If that doesn’t work, the encrypted partition may be unrecoverable.
Thanks a lot for for posting this info. It was immensely valuable in helping me recover data from a Filevault 2 disk with a bad partition table due to bad sectors. Quick summary of what I did:
1) clone bad disk with GNU ddrescue
2) diskutil corestorage list
3) diskutil corestorage unlockVolume UUID -stdinpassphrase
4) diskutil corestorage revert disk[123]
5) run disk warrior to rebuild directory structure and repair file permissions
I am having the same problem, and want to try exactly this, but where you typed in “diskutil corestorage unlockVolume UUID -stdinpassphrase”, where did you get the UUID? From your OP, and from what I’m seeing on my end, I don’t see a UUID for the logical volume, just the group and physical disk, which it won’t accept for unlocking.
Can you please run the following command and then paste the output into a new comment?:
diskutil corestorage list
Thanks,
Rich
I think your procedure can help me , i hope you have email notifications on and help me with the only step i cant do #1 Clone bad disk with gnu ddrescue
Kevin,
I have a post on installing and using ddrescue available here:
http://derflounder.wordpress.com/2012/01/31/using-ddrescue-on-a-failing-hard-drive/
Very useful collection of information. Thank you.
I have the same problem (and the same question). Here is my diskutil cs list:
CoreStorage logical volume groups (1 found)
|
+– Logical Volume Group A779418C-8E16-4ED3-842B-E91417BD863B
=========================================================
Name: System
Sequence: 1
Free Space: 0 B (0 B)
|
+-< Physical Volume 1EF3E032-B8FF-41B7-BD98-6E7AE3B5F9A3
—————————————————-
Index: 0
Disk: disk1s2
Status: Failed
Size: 749295239168 B (749.3 GB)
And my diskutil list (I have two identical drives, the one with the OS failed, so I installed lion on the other drive to try and repair the other):
/dev/disk0
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *750.2 GB disk0
1: EFI 209.7 MB disk0s1
2: Apple_HFS Macintosh HD 749.3 GB disk0s2
3: Apple_Boot Recovery HD 650.0 MB disk0s3
/dev/disk1
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *750.2 GB disk1
1: EFI 209.7 MB disk1s1
2: Apple_CoreStorage 749.3 GB disk1s2
3: Apple_Boot Recovery HD 650.0 MB disk1s3
Thanks so much for this. Bookmarked, and was very useful.
Thanks for this post. This saved me after a failed installation of Mountain Lion, which caused my MBPro encrypted disk to appear faulty. I tried reinstalling Lion (from USB and from Apple – using CommandR sequence) but it kept ion failing. Only after I decrypted the drive using the commands from this post – my MBPro came back to life. Thanks again
Another way to do it, even if you don’t have the password of the encrypted disk, is to “diskutil zeroDisk — “. That way the disk will be wiped clean and is ready for new partitioning
Thanks
after two hours of trying everything else I noticed your post and your suggestion worked perfectly
Just wanted to say thanks for your article. This saved my hard drive. My backup hd was encrypted as a time machine backup. I knew the pw but each time I entered it the hd would not appear to unlock through the gui interface (the pw entry box would become unselectable indefinitely). I used this function diskutil corestorage unlockVolume UUID -stdinpassphrase to unlock the disk. It allowed me to unlock the disk and then attached it the computer as disk2 but it wouldn’t mount. Even so I was able to use this to unlock the disk and then access the files. Thanks very much.
In an attempt to be clever, I recently formatted a new blank drive as Encrypted using Disk Utility. I chose a password, which I know. I then cloned my old boot drive to this encrypted drive – this way I both copied all the data AND encrypted it at the same time. I don’t believe I was ever shown the long “recovery key” I only have the password. Is there any way to retrieve the recovery key? I’m a bit nervous only having the password and not the recovery key. Should I be? Thanks much!
Casey,
When you encrypt a non-boot volume (which is the method you encrypted your disk with before cloning your OS to it) there is no recovery key, only the password. There is no way to add a recovery key after you encrypt, so your password is the only way to unlock your drive.
I strongly recommend decrypting your drive, restarting, then re-encrypting your boot volume using the standard FileVault 2 encryption tools. When you re-encrypt, a recovery key will be generated.
Thank you for that information!
I know I will not forget the password I used. Is there any other reason I should decrypt and re-encrypt it as you suggest? I’d prefer not to, partly because before using the technique I did I had a problem where it finished encrypting then said there was an error and I could neither encrypt nor decrypt it! I actually had to use command line techniques like you showed here to unlock the drive so I could reformat it again.
Casey,
The recovery key is there as a backup in case your password is not accepted to unlock the encryption.
If you choose to go on without having that backup, it’s your right to run your Mac as you see fit. I would not make or endorse that choice for my own Macs.
excellent information here. rare gem
Hi, I recently encrypted my hard drive. I’m not even sure how I did it, every time i try to access it to try and remove the encryption it denies entry. I have no de-cryption software ect ect and i really need advice on how to get rid of my problem; also it doesn’t allow me to save anything therefore i cant download anything.
This thread is a close as I could come to finding a solution. I used disc utility to encrypt a external HDD. During the encryption, the drive unmounted, I think due to the cable to the drive being bumped. It then tried to mount and would not. The passphrase would not work either. I have data on it. I ran the diskutil corestorage list and is copied in below. It still says it is converting and there is no disk activity.
+– Logical Volume Group 7CD6AAEC-F256-48E6-B72E-73F0228BE071
=========================================================
Name: WD Red
Size: 2000054960128 B (2.0 TB)
Free Space: 16777216 B (16.8 MB)
|
+- Logical Volume Family 7B8E9717-5D59-4D6E-B247-6B36B43B9805
———————————————————-
Encryption Status: Locked
Encryption Type: AES-XTS
Conversion Status: Converting
Conversion Direction: forward
Has Encrypted Extents: Yes
Fully Secure: No
Passphrase Required: Yes
|
+-> Logical Volume 36D7C1A4-F013-4F8E-9B5E-8B65D0C3C61D
—————————————————
Disk: -none-
Status: Locked
Size (Total): 1999719411712 B (2.0 TB)
Size (Converted): -none-
Revertible: Yes (unlock and decryption required)
LV Name: WD Red
Content Hint: Apple_HFS
hi im having a huge issue i need resolving… i just bought a new solidstae hard disk to put in my MBP. now i bought the rack replacement for my dvdrw drive and put my 500gb in it.works like a charm.. now the issue is that i started deleting files from mt 500gb and transfering the required to the new solidstate.. finally wanted to format the 500gb and cant because of the filevault security… it will not allow me to unmount the drive… please advise as ive lost my key (i know i bad for loosing the key) and i cant unmount the 500gb for me to format… please advise
jp
Jean-Paul,
Is the drive mounting? I’m asking because you’re referencing being unable to unmount the drive.
If it’s mounting, it’s getting the authentication credentials needed to mount from somewhere. Are you entering a password before it mounts, or do you have a password stored in your login keychain?
If you have the password available, you can decrypt the drive using that password by following the instructions in the “Using the password of an authorized account on the command line” section of this post.
Hi rtrouton… thanks for the response but i got another thread from another site and its all good now… thanks a lot… have a happy holidays
jp
Hi guys,
I was wondering if you could perhaps give me a hand… My problem is very similar to some of those mentioned before. What happened is after my Mac failed to boot from the CS partition (grey Apple logo taking forever) I did boot into the internet recovery. Now what is happening with the diskutil is that:
diskutil cs list showing only the LVG and PV (no LV)
diskutil repairVolume failing with POSIX error
Is there some other way I can perhaps follow?
Thanks!
Jan
JanC,
If you can unlock the volume in Disk Utility, I’d recommend you try DiskWarrior 4.4. DiskWarrior 4.4 is able to work with CoreStorage volumes and may be able to fix the problem.
If that does not work, a colleague of mine has reported success with using Data Rescue 3 to recover files from an unlocked encrypted drive.
i had file vault on my android phone..i formatd my phone and nw i jst hav the encripted file..how to decript it..please help..
Vinit,
Unfortunately, this post has nothing to do with the FileVault software available on Android devices. This is for Apple’s FileVault 2 encryption on Macs.
Oh god i’ve finally found some light to my problem(for that i thank you rtrouton) , unfurtunately not my solution. Maybe you can or somebody can help or give me any idea.
I got a 500 gb HDD with only one partition ( or so it seems because Recovery partition never showed up with my installation of lion) obviously this partition with turned on Filevault 2 and just couple of days ago when i started it up after it turns on ,show me my profile and guest one , ask for my password and show apple logo it gives me the error sign of death.
So after some research i came with all the bad implications of have filevault turned on, one of them the difficulty to solve boot problems!
So i came up with your blog entry and after reading all of it and the comments ive got the same problem as a few other “above” friends , and using an external
usb flash memory with a fresh 10.7.5 installation using the terminal i got that :
diskutil cs list showing only the Logical Volume Group and Physical Volume (no Logical Volume )
CoreStorage logical volume groups (1 found)
|
+– Logical Volume Group 47994043-7CFE-4295-9034-01327C59EF65
=========================================================
Name: Kevin HDD
Sequence: 1
Free Space: 0 B (0 B)
|
+-< Physical Volume E78C8767-6489-454C-9D93-0FEC29160F82
—————————————————-
Index: 0
Disk: disk0s2
Status: Failed
Size: 499248005120 B (499.2 GB)
———————————————————————————————————————
/dev/disk0
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *500.1 GB disk0
1: EFI 209.7 MB disk0s1
2: Apple_CoreStorage 499.2 GB disk0s2
3: Apple_Boot Recovery HD 650.0 MB disk0s3
So i cant get the logical volume UUID to perform the unlocking of my filevault image!
Tho i cant use a recovery partition i can perfectly use the guest account in the HDD
With an SMART status utility i now that there are some damaged sectors and errors on my HDD ( http://cl.ly/Md5s )
I tried to clone and repair the partition on my HDD with my valuable data but im not a experiences user and i cant follow properly this user advice
"E.T.
Thanks a lot for for posting this info. It was immensely valuable in helping me recover data from a Filevault 2 disk with a bad partition table due to bad sectors. Quick summary of what I did:
1) clone bad disk with GNU ddrescue
2) diskutil corestorage list
3) diskutil corestorage unlockVolume UUID -stdinpassphrase
4) diskutil corestorage revert disk[123]
5) run disk warrior to rebuild directory structure and repair file permissions"
(I cant install GNU ddrescue and i cant get my proper UUID to unlock disk)
Any idea or ami lost? i wish ive never turned on file vault and theres some valuable data that i cant loose.
Thanks for reading me.
Correction i do have working recovery partition on my HDD but still cant get to retrieve logical volume UUDID
What I can’t understand is how to get to the command prompt when the hard drive does not boot? So I can do all these procedures?