Home > Apple File System, FileVault 2, Mac administration, macOS > Unlock or decrypt an encrypted APFS boot drive from the command line

Unlock or decrypt an encrypted APFS boot drive from the command line

As part of working with Apple File System (APFS) volumes, it may be necessary to decrypt a boot drive using APFS’s native encryption in order to fix a problem. To decrypt an encrypted APFS boot drive from the command line, you will need to do the following:

  1. Identify the relevant encrypted APFS volume
  2. Unlock the encrypted APFS volume
  3. Decrypt the encrypted APFS volume

For more details, see below the jump.

Identifying the encrypted APFS volume

A necessary pre-requisite to unlocking APFS encryption is to identify the correct encrypted volume. To do this, open Terminal and run the following command:

diskutil apfs list

Running the specified diskutil command will give you a listing of all APFS containers and volumes. To help identify what you’re looking for, I’ve highlighted the identifier of the encrypted APFS volume in this example:

Screen Shot 2017 10 16 at 4 34 25 PM

Unlocking the encrypted APFS volume

If you have access to the password of one of the enabled accounts on the encrypted APFS volume, you can unlock using the command shown on the screen. You will be prompted to provide the password.

diskutil apfs unlockVolume /dev/apfs_volume_id_here

Screen Shot 2017 11 03 at 11 38 05 PM

You should then see output similar to the following:

Screen Shot 2017 11 03 at 11 45 30 PM

If you have access to the personal recovery key associated with the encrypted APFS volume, you can unlock using the command shown on the screen. You will need to provide the recovery key as part of the command.

diskutil apfs unlockVolume /dev/apfs_volume_id_here -passphrase recovery_key_goes_here

Screen Shot 2017 11 03 at 11 37 46 PM

You should then see output similar to the following:

Screen Shot 2017 11 03 at 11 48 19 PM

If using an institutional recovery key, you can unlock the encryption using a FileVaultMaster keychain that contains both the public and private key of your institutional recovery key. One requirement is that you will need to be booted from Recovery HD or from Internet Recovery. Here’s how to do this:

1. Copy the FileVaultMaster keychain that contains both the public and private key of your institutional recovery key to a drive that you can access from Recovery HD.

2. Boot to Recovery HD.

Screen Shot 2017 11 03 at 10 53 20 PM

3. Open Terminal.

Screen Shot 2017 11 03 at 10 53 50 PM

4. Get the APFS volume ID of the encrypted drive by running the following command:

diskutil apfs list

Screen Shot 2017 11 03 at 10 51 10 PM

5. With the APFS volume ID information acquired, run the following command to unlock the FileVaultMaster.keychain:

security unlock-keychain /path/to/FileVaultMaster.keychain

Once this command is run, you’ll need to enter the keychain’s password when prompted. If the password is accepted, you’ll be taken to the next prompt.

Screen Shot 2017 11 03 at 10 58 03 PM

6. Run the following command to unlock the encrypted APFS volume on the encrypted Mac:

diskutil apfs unlockVolume /dev/apfs_volume_id_here -recoverykeychain /path/to/FileVaultMaster.keychain

You should then see output similar to the following:

Screen Shot 2017 11 03 at 10 59 52 PM

Decrypting the encrypted APFS volume


Update 12-31-2017: The procedure used for decryption has changed as of macOS 10.13.2. For more details, please see the link below:

https://derflounder.wordpress.com/2017/12/31/decrypting-an-apfs-encrypted-volume-using-diskutil-on-macos-10-13-2/


Once the drive has been unlocked, you can then decrypt the APFS volume using the command shown below:

diskutil apfs decryptVolume /dev/apfs_volume_id_here

Screen Shot 2017 11 03 at 11 24 49 PM

You should then see output similar to the following:

Screen Shot 2017 11 03 at 11 02 23 PM
As long as you are using root or admin privileges, no additional authentication is required to decrypt an unlocked encrypted volume. However, if you try to decrypt while logged in as a standard user, the diskutil tool will ask for admin authorization.

Diskutil apfs decryptVolume standard user needs admin rights

If the needed admin authorization is not provided, diskutil will halt at that point and give an insufficient privileges error.

Diskutil apfs decryptVolume insufficient privileges

Monitoring decryption

You can monitor decryption of the APFS volume from the command line by running the following command:

diskutil apfs list

Screen Shot 2017 11 03 at 11 03 45 PM

Note: Unlike previous OSs, it is possible on macOS High Sierra to completely decrypt an encrypted APFS drive while booted from Recovery HD.

You can also monitor decryption via the following means:

1. Boot from the decrypting drive.
2. Open System Preferences
3. Open the Security & Privacy preference pane

Screen Shot 2017 11 03 at 11 10 27 PM

4. Click the FileVault tab

Screen Shot 2017 11 03 at 11 10 20 PM

5. View the current decryption status

Screen Shot 2017 11 03 at 11 10 32 PM

  1. Dean Norton
    November 14, 2017 at 4:51 pm

    I have a drive removed from a family member’s Mac that was running High Sierra, and was very likely encrypted with Filevault 2. I have the passcode. The Mac failed due to water damage. I pulled the SSD and put it into an OWC enclosure. When I do a diskutil list I only see (for that device)

    /dev/disk3 (external, physical):
    #: TYPE NAME SIZE IDENTIFIER
    0: *0 B disk3

    I am trying to determine if it is actually damaged, or if its not showing more info due to encryption. Attempts to use a partition command results in “Wiping volume data to prevent future accidental probing failed.”

    diskutil list cs shows no CoreStorage volumes as expected (since it was at 10.13). diskutil list apfs shows only the container group for my own Mac, and does not show a second.

    Should I try something else, or would you guess this device is toast?

    Thanks very much!

  2. Bill
    November 28, 2017 at 10:34 am

    My decryption has paused unable to restart Mac to login-no password. How do I recommence decryption from terminal via recovery option?

    Mac 10.13.1 APFS

    • Wagner
      December 13, 2017 at 6:50 pm

      That is a good question. I am having same issue.

  3. Donald
    December 15, 2017 at 4:10 pm

    Decrypting seems to require a passphase. How do you use the institutional key?

  4. Olga
    December 15, 2017 at 9:11 pm

    Hello, my password is not being recognized even though I know for sure it is correct. Is there anything I can do or do I have to erase?
    I use “diskutil unlockvolume diskname” and type in what is for sure my password and I get an error “Passphrase incorrect or user does not exist”

  5. CD
    February 20, 2018 at 7:02 pm

    Hi I’m trying to unlock an encrypted external disk that does not have user data on it – it is used purely for storage. How can I unlock using my account password? My account is an admin account and I believe I’m listed as the owner of the drive. I have the UUID information for the disk but no encryption password. Please let me know, thanks!

  6. Alex Holbert
    November 8, 2018 at 5:30 am

    My volume is unlocked and I’m in recovery mode when I started to decrypt it I get a error saying that it’s already encrypting or decrypting (-69573). Also I can’t boot or login normally . Should I just wait or is there something else I need to do? Thank you your page has been very helpful

  7. November 8, 2018 at 5:41 am

    Also when I check to see how far along it is. It says 10% and that it is paused

  8. Betyár Gábor
    November 8, 2018 at 8:53 pm

    I have the same problem like Alex.
    But my encrypttion progresss is 22% and paused.
    How can i continue?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: