Home > Apple File System, FileVault 2, Mac administration > Decrypting an APFS encrypted volume using diskutil on macOS 10.13.2

Decrypting an APFS encrypted volume using diskutil on macOS 10.13.2

Apple has made changes as of macOS 10.13.2 to the way you can turn off APFS encryption when using the diskutil apfs decryptVolume command.

On macOS 10.13.0 and 10.13.1, an APFS encrypted volume could be decrypted using the following procedure:

  1. Identify the relevant encrypted APFS volume
  2. Unlock the encrypted APFS volume
  3. Decrypt the encrypted APFS volume

Once the drive has been unlocked, you could then decrypt the APFS volume using the command shown below:

diskutil apfs decryptVolume /dev/apfs_volume_id_here

As long as you were using root or admin privileges to run the command, no additional authentication was required to decrypt an unlocked encrypted volume.

Screen Shot 2017 11 03 at 11 02 23 PM

However, the diskutil apfs decryptVolume command has been updated on macOS 10.13.2 to require additional authentication:

In order to decrypt using a user account’s password or personal recovery key (PRK), it is necessary to specify the following:

  1. The relevant user UUID
  2. The relevant account password or the PRK.

Note: As of macOS 10.13.2, it is not possible to decrypt an encrypted APFS volume using an institutional recovery key (IRK). You can unlock an encrypted APFS volume using an IRK, but diskutil apfs decryptVolume does not include functionality for using an IRK to authenticate the decryption of an encrypted APFS volume.

For more details, please see below the jump.

If you are planning to use a user account’s password to decrypt, you will first need to correctly identify the relevant encrypted APFS volume and which UUID you want to use.

In this case, we’ll be using the following APFS volume identifier:

/dev/disk1s1

Screen Shot 2017 10 16 at 4 34 25 PM

 

The other assumption is that the encrypted APFS volume has been unlocked and is ready for decryption.

If you are booted from the encrypted drive, you can get the UUID of a user account by running the command shown below and matching which UUID belongs to the account you want to use.

fdesetup list

Fdesetup list apfs

 

If you are not booted from the encrypted drive, there is another way to get the UUID by running the command shown below and looking at the entries listed as Local Open Directory User. However, this method will not display the account name and may require some guesswork if there is more than one FileVault enabled account enabled.

diskutil apfs listcryptousers /dev/apfs_volume_id_goes_here

Diskutil apfs listcryptousers dev disk1s1

 

 

Once you have access to the UUID and password of one of the enabled accounts on the encrypted APFS volume, you can unlock using the command below. You will be prompted to provide the password:

diskutil apfs decryptVolume /dev/apfs_volume_id_goes_here -user uuid_goes_here

Diskutil apfs decryptVolume dev disk1s1 user account UUID decrypting

If you want to use the PRK, the PRK has its own UUID which only appears if you run the following command:

diskutil apfs listcryptousers /dev/apfs_volume_id_goes_here

In this case, use the UUID associated with the Personal Recovery User entry.

Diskutil apfs listcryptousers dev disk1s1 personal recovery key UUID

If you have access to the PRK associated with the encrypted APFS volume, you can decrypt using the command below. You will need to provide the relevant UUID and the alphanumeric personal recovery key as part of the command.

diskutil apfs decryptVolume /dev/apfs_volume_id_goes_here -user uuid_goes_here -passphrase personal_recovery_key_goes_here

Diskutil apfs decryptVolume dev disk1s1 personal recovery key UUID and passphrase decrypting

 

To show the process of decrypting an unlocked encrypted APFS volume while using a personal recovery key, please see below for a video:

  1. Efim Kuznetsov
    January 10, 2018 at 9:55 pm

    Many many thanks! It worked for me!

  2. MMR
    January 21, 2018 at 2:43 pm

    and what do I need to do if the encryption is not finished yet? Got the error “is already decrypting or encrypting (-69573)

  3. April 5, 2018 at 5:29 pm

    So any updates on using a IRK to decrypt 10.13.4? since the authentication issue on 10.13.2 “diskutil decryptVolume disk2s1”? This is in reference to the drive already being unlocked using an Instituional Recovery Key – or is there a way to add a user or recovery using the IRK?

  4. Roberto Lopez
    April 6, 2018 at 10:45 am

    Yes here an update
    With Version 10.13.3 you will get an error using IRK when running “diskutil apfs decryptvolume” -> Error starting background decryption of APFS Volume: APFS Volume decryption failed to begin (-69595)”
    With Version 10.13.4 you will get an error using IRK when running “diskutil apfs decryptvolume” -> Error starting background decryption of APFS Volume: Passphrase incorrect (-69550)”
    I will try to encrypt in 10.13.4 and will try again to decrypt (maybe a bug during encryption with 10.13.3?)

  5. Andrew Garfield
    April 6, 2018 at 6:27 pm

    Having the same issue as you Roberto, and for me 10.13.4 did not resolve nor did it allow me to decrypt.

    • PT
      May 19, 2018 at 7:44 pm

      I am, unfortunately experiencing the same on a volumen encrypted on 10.13.4, Roberto.

  6. Lee
    April 20, 2018 at 12:59 pm

    Thanks so much for this! It’s an excellent article with a good, clear writing style too.

  7. Gilbert Gonzalez
    May 22, 2018 at 8:12 am

    Why is my status seemingly stuck at 10%?

  8. Shamir Moahmmed
    September 24, 2018 at 12:25 pm

    Thanks so much for this! It’s an excellent article

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: