Home > Apple File System, FileVault 2, Mac administration, macOS > Unlock or decrypt an encrypted APFS boot drive from the command line

Unlock or decrypt an encrypted APFS boot drive from the command line

As part of working with Apple File System (APFS) volumes, it may be necessary to decrypt a boot drive using APFS’s native encryption in order to fix a problem. To decrypt an encrypted APFS boot drive from the command line, you will need to do the following:

  1. Identify the relevant encrypted APFS volume
  2. Unlock the encrypted APFS volume
  3. Decrypt the encrypted APFS volume

For more details, see below the jump.

Identifying the encrypted APFS volume

A necessary pre-requisite to unlocking APFS encryption is to identify the correct encrypted volume. To do this, open Terminal and run the following command:

diskutil apfs list

Running the specified diskutil command will give you a listing of all APFS containers and volumes. To help identify what you’re looking for, I’ve highlighted the identifier of the encrypted APFS volume in this example:

Screen Shot 2017 10 16 at 4 34 25 PM

Unlocking the encrypted APFS volume

If you have access to the password of one of the enabled accounts on the encrypted APFS volume, you can unlock using the command shown on the screen. You will be prompted to provide the password.

diskutil apfs unlockVolume /dev/apfs_volume_id_here

Screen Shot 2017 11 03 at 11 38 05 PM

You should then see output similar to the following:

Screen Shot 2017 11 03 at 11 45 30 PM

If you have access to the personal recovery key associated with the encrypted APFS volume, you can unlock using the command shown on the screen. You will need to provide the recovery key as part of the command.

diskutil apfs unlockVolume /dev/apfs_volume_id_here -passphrase recovery_key_goes_here

Screen Shot 2017 11 03 at 11 37 46 PM

You should then see output similar to the following:

Screen Shot 2017 11 03 at 11 48 19 PM

If using an institutional recovery key, you can unlock the encryption using a FileVaultMaster keychain that contains both the public and private key of your institutional recovery key. One requirement is that you will need to be booted from Recovery HD or from Internet Recovery. Here’s how to do this:

1. Copy the FileVaultMaster keychain that contains both the public and private key of your institutional recovery key to a drive that you can access from Recovery HD.

2. Boot to Recovery HD.

Screen Shot 2017 11 03 at 10 53 20 PM

3. Open Terminal.

Screen Shot 2017 11 03 at 10 53 50 PM

4. Get the APFS volume ID of the encrypted drive by running the following command:

diskutil apfs list

Screen Shot 2017 11 03 at 10 51 10 PM

5. With the APFS volume ID information acquired, run the following command to unlock the FileVaultMaster.keychain:

security unlock-keychain /path/to/FileVaultMaster.keychain

Once this command is run, you’ll need to enter the keychain’s password when prompted. If the password is accepted, you’ll be taken to the next prompt.

Screen Shot 2017 11 03 at 10 58 03 PM

6. Run the following command to unlock the encrypted APFS volume on the encrypted Mac:

diskutil apfs unlockVolume /dev/apfs_volume_id_here -recoverykeychain /path/to/FileVaultMaster.keychain

You should then see output similar to the following:

Screen Shot 2017 11 03 at 10 59 52 PM

Decrypting the encrypted APFS volume

Once the drive has been unlocked, you can then decrypt the APFS volume using the command shown below:

diskutil apfs decryptVolume /dev/apfs_volume_id_here

Screen Shot 2017 11 03 at 11 24 49 PM

You should then see output similar to the following:

Screen Shot 2017 11 03 at 11 02 23 PM
As long as you are using root or admin privileges, no additional authentication is required to decrypt an unlocked encrypted volume. However, if you try to decrypt while logged in as a standard user, the diskutil tool will ask for admin authorization.

Diskutil apfs decryptVolume standard user needs admin rights

If the needed admin authorization is not provided, diskutil will halt at that point and give an insufficient privileges error.

Diskutil apfs decryptVolume insufficient privileges

Monitoring decryption

You can monitor decryption of the APFS volume from the command line by running the following command:

diskutil apfs list

Screen Shot 2017 11 03 at 11 03 45 PM

Note: Unlike previous OSs, it is possible on macOS High Sierra to completely decrypt an encrypted APFS drive while booted from Recovery HD.

You can also monitor decryption via the following means:

1. Boot from the decrypting drive.
2. Open System Preferences
3. Open the Security & Privacy preference pane

Screen Shot 2017 11 03 at 11 10 27 PM

4. Click the FileVault tab

Screen Shot 2017 11 03 at 11 10 20 PM

5. View the current decryption status

Screen Shot 2017 11 03 at 11 10 32 PM

  1. Dean Norton
    November 14, 2017 at 4:51 pm

    I have a drive removed from a family member’s Mac that was running High Sierra, and was very likely encrypted with Filevault 2. I have the passcode. The Mac failed due to water damage. I pulled the SSD and put it into an OWC enclosure. When I do a diskutil list I only see (for that device)

    /dev/disk3 (external, physical):
    #: TYPE NAME SIZE IDENTIFIER
    0: *0 B disk3

    I am trying to determine if it is actually damaged, or if its not showing more info due to encryption. Attempts to use a partition command results in “Wiping volume data to prevent future accidental probing failed.”

    diskutil list cs shows no CoreStorage volumes as expected (since it was at 10.13). diskutil list apfs shows only the container group for my own Mac, and does not show a second.

    Should I try something else, or would you guess this device is toast?

    Thanks very much!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: