Unlock or decrypt an encrypted APFS boot drive from the command line
As part of working with Apple File System (APFS) volumes, it may be necessary to decrypt a boot drive using APFS’s native encryption in order to fix a problem. To decrypt an encrypted APFS boot drive from the command line, you will need to do the following:
- Identify the relevant encrypted APFS volume
- Unlock the encrypted APFS volume
- Decrypt the encrypted APFS volume
For more details, see below the jump.
Identifying the encrypted APFS volume
A necessary pre-requisite to unlocking APFS encryption is to identify the correct encrypted volume. To do this, open Terminal and run the following command:
diskutil apfs list
Running the specified diskutil command will give you a listing of all APFS containers and volumes. To help identify what you’re looking for, I’ve highlighted the identifier of the encrypted APFS volume in this example:
Unlocking the encrypted APFS volume
If you have access to the password of one of the enabled accounts on the encrypted APFS volume, you can unlock using the command shown on the screen. You will be prompted to provide the password.
diskutil apfs unlockVolume /dev/apfs_volume_id_here
You should then see output similar to the following:
If you have access to the personal recovery key associated with the encrypted APFS volume, you can unlock using the command shown on the screen. You will need to provide the recovery key as part of the command.
diskutil apfs unlockVolume /dev/apfs_volume_id_here -passphrase recovery_key_goes_here
You should then see output similar to the following:
If using an institutional recovery key, you can unlock the encryption using a FileVaultMaster keychain that contains both the public and private key of your institutional recovery key. One requirement is that you will need to be booted from Recovery HD or from Internet Recovery. Here’s how to do this:
1. Copy the FileVaultMaster keychain that contains both the public and private key of your institutional recovery key to a drive that you can access from Recovery HD.
2. Boot to Recovery HD.
3. Open Terminal.
4. Get the APFS volume ID of the encrypted drive by running the following command:
diskutil apfs list
5. With the APFS volume ID information acquired, run the following command to unlock the FileVaultMaster.keychain:
security unlock-keychain /path/to/FileVaultMaster.keychain
Once this command is run, you’ll need to enter the keychain’s password when prompted. If the password is accepted, you’ll be taken to the next prompt.
6. Run the following command to unlock the encrypted APFS volume on the encrypted Mac:
diskutil apfs unlockVolume /dev/apfs_volume_id_here -recoverykeychain /path/to/FileVaultMaster.keychain
You should then see output similar to the following:
Decrypting the encrypted APFS volume
Update 12-31-2017: The procedure used for decryption has changed as of macOS 10.13.2. For more details, please see the link below:
Once the drive has been unlocked, you can then decrypt the APFS volume using the command shown below:
diskutil apfs decryptVolume /dev/apfs_volume_id_here
You should then see output similar to the following:
As long as you are using root or admin privileges, no additional authentication is required to decrypt an unlocked encrypted volume. However, if you try to decrypt while logged in as a standard user, the diskutil tool will ask for admin authorization.
If the needed admin authorization is not provided, diskutil will halt at that point and give an insufficient privileges error.
Monitoring decryption
You can monitor decryption of the APFS volume from the command line by running the following command:
diskutil apfs list
Note: Unlike previous OSs, it is possible on macOS High Sierra to completely decrypt an encrypted APFS drive while booted from Recovery HD.
You can also monitor decryption via the following means:
1. Boot from the decrypting drive.
2. Open System Preferences
3. Open the Security & Privacy preference pane
4. Click the FileVault tab
5. View the current decryption status
I have a drive removed from a family member’s Mac that was running High Sierra, and was very likely encrypted with Filevault 2. I have the passcode. The Mac failed due to water damage. I pulled the SSD and put it into an OWC enclosure. When I do a diskutil list I only see (for that device)
/dev/disk3 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: *0 B disk3
I am trying to determine if it is actually damaged, or if its not showing more info due to encryption. Attempts to use a partition command results in “Wiping volume data to prevent future accidental probing failed.”
diskutil list cs shows no CoreStorage volumes as expected (since it was at 10.13). diskutil list apfs shows only the container group for my own Mac, and does not show a second.
Should I try something else, or would you guess this device is toast?
Thanks very much!
My decryption has paused unable to restart Mac to login-no password. How do I recommence decryption from terminal via recovery option?
Mac 10.13.1 APFS
That is a good question. I am having same issue.
Decrypting seems to require a passphase. How do you use the institutional key?
Hello, my password is not being recognized even though I know for sure it is correct. Is there anything I can do or do I have to erase?
I use “diskutil unlockvolume diskname” and type in what is for sure my password and I get an error “Passphrase incorrect or user does not exist”
Hi I’m trying to unlock an encrypted external disk that does not have user data on it – it is used purely for storage. How can I unlock using my account password? My account is an admin account and I believe I’m listed as the owner of the drive. I have the UUID information for the disk but no encryption password. Please let me know, thanks!
My volume is unlocked and I’m in recovery mode when I started to decrypt it I get a error saying that it’s already encrypting or decrypting (-69573). Also I can’t boot or login normally . Should I just wait or is there something else I need to do? Thank you your page has been very helpful
Also when I check to see how far along it is. It says 10% and that it is paused
I have the same problem like Alex.
But my encrypttion progresss is 22% and paused.
How can i continue?
Open terminal, and invoke the encryption/decryption process by typing:
/usr/libexec/apfsd (for apfs file system)
/usr/libexec/corestoraged (for others)
Thank you so much! after trying to update from Mojave to Bigsur, the update went wrong. The laptop wont boot and I could not unlock the disk in the recovery mode ( I am using a qwertz keyboard and the password contained special characters). Unfortunately one cannot access the terminal in recovery mode, so I put the laptop in Targetdisk mode and connect it to another laptop. Using your instructions I could decrypt the laptop, after I could run the recovery utilities and solve the issue. Thank you!
After loads of faffing around with disk utility and terminal I finally found something that worked. I am installing a new ssd drive in a macpro. I kept getting disk locked message. This is because there are not enough partitions on the new disc. I partitioned the new drive into 3 sections. One for the install disc one for the new installation on the mac pro and the remainder was about 900mb. You could muck about and estimate what you need. I used install disc creator for the install disc, this worked well once I had figured out what was going on. Hope this helps.
Hi there!
To decrypt your hackintosh’s drive – you have two options.
FIRST WAY:
You need install FileVault drivers into your EFI configuration, use this instruction below!
https://ihackline.com/2020/10/05/filevault-hackintosh/
You have to made some changes to ENABLE natively FileVault on hackintosh to use your drive encryption normally.
SECOND WAY:
USE your RECOVERY partition to start decrypting process.
0) BOOT INTO RECOVERY PARTITION (cmd+R when booting) or load into clean system from external drive:
1) open terminal from recovery utilities
2) FOR APFS DRIVE type:
[CODE]/usr/libexec/apfsd[/CODE]
OR TRY THAT!
[CODE]sudo /usr/libexec/apfsd[/CODE]
FOR HFS DRIVE:
[CODE]/usr/libexec/corestoraged[/CODE]
OR TRY THAT!
[CODE]sudo /usr/libexec/corestoraged[/CODE]
3) TO RESUME/START decrypt/encrypt SERVICE of your drive:
OPEN NEW terminal’s window.
4) TYPE:
[CODE]diskutil apfs list[/CODE]
see your main drive number “disk0s0” (for example) and remember its UUID
5) TYPE:
[CODE]diskutil apfs listcryptousers /dev/disk0s0[/CODE]
(replace disk0s0 with your drive partition)
see your username
6) TYPE:
[CODE]diskutil apfs decryptVolume /dev/disk0s0 -user uuid_goes_here -passphrase 1234567890[/CODE]
Remember!
“1234567890” – replace with your password of user
“uuid_goes_here” – replace with your UUID of your drive
“disk0s0” – replace with your correct drive partition
7) Check your decrypting status:
[CODE]diskutil apfs list[/CODE]
P.S. Decryption will be very long. Even if it’s an SSD. Most importantly, check that the decryption percentages are slowly but increasing.
Good luck!
Hi there!
To decrypt your hackintosh’s drive – you have two options.
FIRST WAY:
You need install FileVault drivers into your EFI configuration, use this instruction below!
https://ihackline.com/2020/10/05/filevault-hackintosh/
You have to made some changes to ENABLE natively FileVault on hackintosh to use your drive encryption normally.
SECOND WAY:
USE your RECOVERY partition to start decrypting process.
0) BOOT INTO RECOVERY PARTITION (cmd+R when booting) or load into clean system from external drive:
1) open terminal from recovery utilities
2) FOR APFS DRIVE type:
/usr/libexec/apfsd
OR TRY THAT!
sudo /usr/libexec/apfsd
FOR HFS DRIVE:
/usr/libexec/corestoraged
OR TRY THAT!
sudo /usr/libexec/corestoraged
3) TO RESUME/START decrypt/encrypt SERVICE of your drive:
OPEN NEW terminal’s window.
4) TYPE:
diskutil apfs list
see your main drive disk0s0 (for example) and write its UUID
5) TYPE:
diskutil apfs listcryptousers /dev/disk0s0
see your username
6) TYPE:
diskutil apfs decryptVolume /dev/disk0s0 -user uuid_goes_here -passphrase 1234567890
Remember!
“1234567890” – is your password of user
“uuid_goes_here” – UUID of your drive
“disk0s0” – your drive partition
7) Check your decrypting status:
diskutil apfs list
P.S. Decryption will be very long. Even if it’s an SSD. Most importantly, check that the decryption percentages are slowly but increasing.
Good luck!