Mac OS X 10.8.4’s Recovery HD removes ability to decrypt FileVault 2-encrypted Mac
To follow on to my earlier post about needing admin rights to decrypt FileVault 2 on Mac OS X 10.8.4, it appears that Mac OS X 10.8.4’s Recovery HD partition no longer can decrypt FileVault 2-encrypted Macs. If you boot from a 10.8.4 Recovery HD partition, you can unlock a FileVault 2-encrypted boot drive but you can’t decrypt it either from Disk Utility or the command line.
Update – June 11, 2013: It looks like you will need to unlock the encrypted volume first, then you will be able to decrypt it. See this post for details.
In Disk Utility’s File menu, Turn Off Encryption… is now grayed out. Unlock “Drive Name” is still an available option.
In Terminal, attempting to decrypt with diskutil with the following commands now results a The given UUID is not a CoreStorage Logical Volume UUID error.
diskutil cs revert UUID_here -stdinpassphrase
diskutil cs revert UUID_here -passphrase
diskutil corestorage revert UUID_here -recoveryKeychain /path/to/FileVaultMaster.keychain
Unlocking from the command line continues to work.
The fact that decrypting using the institutional keychain does not work is particularly worrying. To the best of my knowledge, the only way you can decrypt using the institutional keychain is by using Recovery HD or Internet Recovery. I’ve verified that booting from an alternate 10.8.4 boot drive gives the same behavior with regards to Disk Utility and the diskutil tool.
I’ve filed bugreports at bugreport.apple.com for these issues. For those who who want to submit duplicate bugs, they are bug IDs 14099380 and 14099359.
I’ve also posted the bug reports at Open Radar: