Home > Apple File System, FileVault 2, Mac administration, macOS > Unlock or decrypt an encrypted APFS boot drive from the command line

Unlock or decrypt an encrypted APFS boot drive from the command line

As part of working with Apple File System (APFS) volumes, it may be necessary to decrypt a boot drive using APFS’s native encryption in order to fix a problem. To decrypt an encrypted APFS boot drive from the command line, you will need to do the following:

  1. Identify the relevant encrypted APFS volume
  2. Unlock the encrypted APFS volume
  3. Decrypt the encrypted APFS volume

For more details, see below the jump.

Identifying the encrypted APFS volume

A necessary pre-requisite to unlocking APFS encryption is to identify the correct encrypted volume. To do this, open Terminal and run the following command:

diskutil apfs list

Running the specified diskutil command will give you a listing of all APFS containers and volumes. To help identify what you’re looking for, I’ve highlighted the identifier of the encrypted APFS volume in this example:

Screen Shot 2017 10 16 at 4 34 25 PM

Unlocking the encrypted APFS volume

If you have access to the password of one of the enabled accounts on the encrypted APFS volume, you can unlock using the command shown on the screen. You will be prompted to provide the password.

diskutil apfs unlockVolume /dev/apfs_volume_id_here

Screen Shot 2017 11 03 at 11 38 05 PM

You should then see output similar to the following:

Screen Shot 2017 11 03 at 11 45 30 PM

If you have access to the personal recovery key associated with the encrypted APFS volume, you can unlock using the command shown on the screen. You will need to provide the recovery key as part of the command.

diskutil apfs unlockVolume /dev/apfs_volume_id_here -passphrase recovery_key_goes_here

Screen Shot 2017 11 03 at 11 37 46 PM

You should then see output similar to the following:

Screen Shot 2017 11 03 at 11 48 19 PM

If using an institutional recovery key, you can unlock the encryption using a FileVaultMaster keychain that contains both the public and private key of your institutional recovery key. One requirement is that you will need to be booted from Recovery HD or from Internet Recovery. Here’s how to do this:

1. Copy the FileVaultMaster keychain that contains both the public and private key of your institutional recovery key to a drive that you can access from Recovery HD.

2. Boot to Recovery HD.

Screen Shot 2017 11 03 at 10 53 20 PM

3. Open Terminal.

Screen Shot 2017 11 03 at 10 53 50 PM

4. Get the APFS volume ID of the encrypted drive by running the following command:

diskutil apfs list

Screen Shot 2017 11 03 at 10 51 10 PM

5. With the APFS volume ID information acquired, run the following command to unlock the FileVaultMaster.keychain:

security unlock-keychain /path/to/FileVaultMaster.keychain

Once this command is run, you’ll need to enter the keychain’s password when prompted. If the password is accepted, you’ll be taken to the next prompt.

Screen Shot 2017 11 03 at 10 58 03 PM

6. Run the following command to unlock the encrypted APFS volume on the encrypted Mac:

diskutil apfs unlockVolume /dev/apfs_volume_id_here -recoverykeychain /path/to/FileVaultMaster.keychain

You should then see output similar to the following:

Screen Shot 2017 11 03 at 10 59 52 PM

Decrypting the encrypted APFS volume


Update 12-31-2017: The procedure used for decryption has changed as of macOS 10.13.2. For more details, please see the link below:

https://derflounder.wordpress.com/2017/12/31/decrypting-an-apfs-encrypted-volume-using-diskutil-on-macos-10-13-2/


Once the drive has been unlocked, you can then decrypt the APFS volume using the command shown below:

diskutil apfs decryptVolume /dev/apfs_volume_id_here

Screen Shot 2017 11 03 at 11 24 49 PM

You should then see output similar to the following:

Screen Shot 2017 11 03 at 11 02 23 PM
As long as you are using root or admin privileges, no additional authentication is required to decrypt an unlocked encrypted volume. However, if you try to decrypt while logged in as a standard user, the diskutil tool will ask for admin authorization.

Diskutil apfs decryptVolume standard user needs admin rights

If the needed admin authorization is not provided, diskutil will halt at that point and give an insufficient privileges error.

Diskutil apfs decryptVolume insufficient privileges

Monitoring decryption

You can monitor decryption of the APFS volume from the command line by running the following command:

diskutil apfs list

Screen Shot 2017 11 03 at 11 03 45 PM

Note: Unlike previous OSs, it is possible on macOS High Sierra to completely decrypt an encrypted APFS drive while booted from Recovery HD.

You can also monitor decryption via the following means:

1. Boot from the decrypting drive.
2. Open System Preferences
3. Open the Security & Privacy preference pane

Screen Shot 2017 11 03 at 11 10 27 PM

4. Click the FileVault tab

Screen Shot 2017 11 03 at 11 10 20 PM

5. View the current decryption status

Screen Shot 2017 11 03 at 11 10 32 PM

  1. Dean Norton
    November 14, 2017 at 4:51 pm

    I have a drive removed from a family member’s Mac that was running High Sierra, and was very likely encrypted with Filevault 2. I have the passcode. The Mac failed due to water damage. I pulled the SSD and put it into an OWC enclosure. When I do a diskutil list I only see (for that device)

    /dev/disk3 (external, physical):
    #: TYPE NAME SIZE IDENTIFIER
    0: *0 B disk3

    I am trying to determine if it is actually damaged, or if its not showing more info due to encryption. Attempts to use a partition command results in “Wiping volume data to prevent future accidental probing failed.”

    diskutil list cs shows no CoreStorage volumes as expected (since it was at 10.13). diskutil list apfs shows only the container group for my own Mac, and does not show a second.

    Should I try something else, or would you guess this device is toast?

    Thanks very much!

  2. Bill
    November 28, 2017 at 10:34 am

    My decryption has paused unable to restart Mac to login-no password. How do I recommence decryption from terminal via recovery option?

    Mac 10.13.1 APFS

    • Wagner
      December 13, 2017 at 6:50 pm

      That is a good question. I am having same issue.

  3. Donald
    December 15, 2017 at 4:10 pm

    Decrypting seems to require a passphase. How do you use the institutional key?

  4. Olga
    December 15, 2017 at 9:11 pm

    Hello, my password is not being recognized even though I know for sure it is correct. Is there anything I can do or do I have to erase?
    I use “diskutil unlockvolume diskname” and type in what is for sure my password and I get an error “Passphrase incorrect or user does not exist”

  5. CD
    February 20, 2018 at 7:02 pm

    Hi I’m trying to unlock an encrypted external disk that does not have user data on it – it is used purely for storage. How can I unlock using my account password? My account is an admin account and I believe I’m listed as the owner of the drive. I have the UUID information for the disk but no encryption password. Please let me know, thanks!

  6. Alex Holbert
    November 8, 2018 at 5:30 am

    My volume is unlocked and I’m in recovery mode when I started to decrypt it I get a error saying that it’s already encrypting or decrypting (-69573). Also I can’t boot or login normally . Should I just wait or is there something else I need to do? Thank you your page has been very helpful

  7. November 8, 2018 at 5:41 am

    Also when I check to see how far along it is. It says 10% and that it is paused

  8. Betyár Gábor
    November 8, 2018 at 8:53 pm

    I have the same problem like Alex.
    But my encrypttion progresss is 22% and paused.
    How can i continue?

  9. Tuomo
    September 28, 2019 at 2:31 am

    Open terminal, and invoke the encryption/decryption process by typing:

    /usr/libexec/apfsd (for apfs file system)
    /usr/libexec/corestoraged (for others)

  10. da.zu.spot@gmail.com
    December 4, 2020 at 6:43 am

    Thank you so much! after trying to update from Mojave to Bigsur, the update went wrong. The laptop wont boot and I could not unlock the disk in the recovery mode ( I am using a qwertz keyboard and the password contained special characters). Unfortunately one cannot access the terminal in recovery mode, so I put the laptop in Targetdisk mode and connect it to another laptop. Using your instructions I could decrypt the laptop, after I could run the recovery utilities and solve the issue. Thank you!

  11. Glencoe
    December 4, 2020 at 4:17 pm

    After loads of faffing around with disk utility and terminal I finally found something that worked. I am installing a new ssd drive in a macpro. I kept getting disk locked message. This is because there are not enough partitions on the new disc. I partitioned the new drive into 3 sections. One for the install disc one for the new installation on the mac pro and the remainder was about 900mb. You could muck about and estimate what you need. I used install disc creator for the install disc, this worked well once I had figured out what was going on. Hope this helps.

  12. georgefetcher
    May 13, 2021 at 3:55 pm

    Hi there!

    To decrypt your hackintosh’s drive – you have two options.

    FIRST WAY:

    You need install FileVault drivers into your EFI configuration, use this instruction below!
    https://ihackline.com/2020/10/05/filevault-hackintosh/
    You have to made some changes to ENABLE natively FileVault on hackintosh to use your drive encryption normally.

    SECOND WAY:

    USE your RECOVERY partition to start decrypting process.

    0) BOOT INTO RECOVERY PARTITION (cmd+R when booting) or load into clean system from external drive:

    1) open terminal from recovery utilities

    2) FOR APFS DRIVE type:

    [CODE]/usr/libexec/apfsd[/CODE]
    OR TRY THAT!
    [CODE]sudo /usr/libexec/apfsd[/CODE]

    FOR HFS DRIVE:

    [CODE]/usr/libexec/corestoraged[/CODE]
    OR TRY THAT!
    [CODE]sudo /usr/libexec/corestoraged[/CODE]

    3) TO RESUME/START decrypt/encrypt SERVICE of your drive:
    OPEN NEW terminal’s window.

    4) TYPE:
    [CODE]diskutil apfs list[/CODE]

    see your main drive number “disk0s0” (for example) and remember its UUID

    5) TYPE:
    [CODE]diskutil apfs listcryptousers /dev/disk0s0[/CODE]
    (replace disk0s0 with your drive partition)

    see your username

    6) TYPE:
    [CODE]diskutil apfs decryptVolume /dev/disk0s0 -user uuid_goes_here -passphrase 1234567890[/CODE]

    Remember!
    “1234567890” – replace with your password of user
    “uuid_goes_here” – replace with your UUID of your drive
    “disk0s0” – replace with your correct drive partition

    7) Check your decrypting status:
    [CODE]diskutil apfs list[/CODE]

    P.S. Decryption will be very long. Even if it’s an SSD. Most importantly, check that the decryption percentages are slowly but increasing.

    Good luck!

  13. georgefetcher
    May 13, 2021 at 3:56 pm

    Hi there!

    To decrypt your hackintosh’s drive – you have two options.

    FIRST WAY:

    You need install FileVault drivers into your EFI configuration, use this instruction below!
    https://ihackline.com/2020/10/05/filevault-hackintosh/
    You have to made some changes to ENABLE natively FileVault on hackintosh to use your drive encryption normally.

    SECOND WAY:

    USE your RECOVERY partition to start decrypting process.

    0) BOOT INTO RECOVERY PARTITION (cmd+R when booting) or load into clean system from external drive:

    1) open terminal from recovery utilities

    2) FOR APFS DRIVE type:

    /usr/libexec/apfsd
    OR TRY THAT!
    sudo /usr/libexec/apfsd

    FOR HFS DRIVE:

    /usr/libexec/corestoraged
    OR TRY THAT!
    sudo /usr/libexec/corestoraged

    3) TO RESUME/START decrypt/encrypt SERVICE of your drive:
    OPEN NEW terminal’s window.

    4) TYPE:
    diskutil apfs list

    see your main drive disk0s0 (for example) and write its UUID

    5) TYPE:
    diskutil apfs listcryptousers /dev/disk0s0

    see your username

    6) TYPE:
    diskutil apfs decryptVolume /dev/disk0s0 -user uuid_goes_here -passphrase 1234567890

    Remember!
    “1234567890” – is your password of user
    “uuid_goes_here” – UUID of your drive
    “disk0s0” – your drive partition

    7) Check your decrypting status:
    diskutil apfs list

    P.S. Decryption will be very long. Even if it’s an SSD. Most importantly, check that the decryption percentages are slowly but increasing.

    Good luck!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: