Archive
Decrypting an APFS encrypted volume using diskutil on macOS 10.13.2
Apple has made changes as of macOS 10.13.2 to the way you can turn off APFS encryption when using the diskutil apfs decryptVolume command.
On macOS 10.13.0 and 10.13.1, an APFS encrypted volume could be decrypted using the following procedure:
- Identify the relevant encrypted APFS volume
- Unlock the encrypted APFS volume
- Decrypt the encrypted APFS volume
Once the drive has been unlocked, you could then decrypt the APFS volume using the command shown below:
diskutil apfs decryptVolume /dev/apfs_volume_id_here
As long as you were using root or admin privileges to run the command, no additional authentication was required to decrypt an unlocked encrypted volume.
However, the diskutil apfs decryptVolume command has been updated on macOS 10.13.2 to require additional authentication:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| decryptVolume volumeDevice [-user disk | existingCryptoUserUUID] [-passphrase existingPassphrase | -stdinpassphrase] | |
| Start "background" decryption of a currently-encrypted APFS Volume. | |
| The APFS Volume must be unlocked before beginning this operation. | |
| In most cases, you will have to specify some (any) existing cryptographic user and passphrase on the APFS | |
| Volume. If you do not supply a user, the "Disk User" is assumed. If you do not supply a passphrase yet one | |
| is required, you will be prompted interactively. | |
| Ownership of the affected disks is required. |
In order to decrypt using a user account’s password or personal recovery key (PRK), it is necessary to specify the following:
- The relevant user UUID
- The relevant account password or the PRK.
Note: As of macOS 10.13.2, it is not possible to decrypt an encrypted APFS volume using an institutional recovery key (IRK). You can unlock an encrypted APFS volume using an IRK, but diskutil apfs decryptVolume does not include functionality for using an IRK to authenticate the decryption of an encrypted APFS volume.
For more details, please see below the jump.
Creating local user accounts with pycreateuserpkg
As part of setting up new Macs, you may want to add one or more local user accounts with a pre-determined password to those Macs. The reasons for this may include the following:
- Setting up a local administrator account
- Setting up a “loaner” user account for a pool of loaner laptops
- Setting up a local user account that automatically logs at startup for a library kiosk
- Setting up a generic “student” account for use in a school’s computer lab
Previously, it was possible to use the venerable CreateUserPkg utility to accomplish this goal, but the password scheme used by CreateUserPkg stopped working on macOS High Sierra. An alternative tool which works on macOS High Sierra is pycreateuserpkg, a Python script written by Greg Neagle which generates packages that create local user accounts when installed. For more information, see below the jump.
Der Flounder 
Recent Comments