Home > FileVault 2, Mac administration, macOS, macOS Recovery > Unlock or decrypt your FileVault-encrypted boot drive from the command line on macOS Mojave

Unlock or decrypt your FileVault-encrypted boot drive from the command line on macOS Mojave

As part of working with FileVault on macOS Mojave, it may be necessary to decrypt an encrypted boot drive in order to fix a problem. On Mojave all boot volumes will use Apple File System (APFS), so to unlock or decrypt an encrypted boot drive from the command line, you will need to do the following:

  1. Identify the relevant encrypted APFS volume
  2. Unlock the encrypted APFS volume
  3. If needed, decrypt the encrypted APFS volume

For more details, see below the jump.

Identifying the encrypted APFS volume

A necessary pre-requisite to unlocking APFS encryption is to identify the correct encrypted volume. To do this, open Terminal and run the following command:

diskutil apfs list

Running that command will give you a listing of all APFS containers and volumes. To help identify what you’re looking for, I’ve highlighted the identifier of the encrypted APFS volume in this example:

Screen Shot 2019 01 14 at 9 04 33 PM

Unlocking the encrypted APFS volume

If you have access to the password of one of the enabled accounts on the encrypted APFS volume, you can unlock using the command shown on the screen. You will be prompted to provide the password.

diskutil apfs unlockVolume /dev/apfs_volume_id_goes_here

Screen Shot 2019 01 14 at 9 11 34 PM

If you have access to the personal recovery key associated with the encrypted APFS volume, you can unlock using the command shown on the screen. You will need to provide the recovery key as part of the command.

diskutil apfs unlockVolume /dev/apfs_volume_id_goes_here -passphrase personal_recovery_key_goes_here

Screen Shot 2019 01 14 at 9 16 30 PM

If using an institutional recovery key, you can unlock the encryption using a FileVaultMaster keychain that contains both the public and private key of your institutional recovery key. One requirement is that you will need to be booted from a Recovery HD partition or from Internet Recovery. Here’s how to do this:

1. Copy the FileVaultMaster keychain that contains both the public and private key of your institutional recovery key to a drive that you can access from Recovery HD.

2. Boot to Recovery HD.

Screen Shot 2019 01 14 at 9 10 14 PM

3. Open Terminal.

4. Get the APFS volume ID of the encrypted drive by running the following command:

diskutil apfs list

Screen Shot 2019 01 14 at 11 12 50 PM

5. With the APFS volume ID information acquired, run the following command to unlock the FileVaultMaster.keychain:

security unlock-keychain /path/to/FileVaultMaster.keychain

Screen Shot 2019 01 14 at 10 11 33 PM

Once this command is run, you’ll need to enter the keychain’s password when prompted. If the password is accepted, you’ll be taken to the next prompt.

6. Run the following command to unlock the encrypted APFS volume on the encrypted Mac:

diskutil apfs unlockVolume /dev/apfs_volume_id_goes_here -recoverykeychain /path/to/FileVaultMaster.keychain

7. You should then see output similar to the following:

Screen Shot 2019 01 14 at 10 31 26 PM

Decrypting the encrypted APFS volume

Once the drive has been unlocked, you can then decrypt the APFS volume. In order to decrypt using a user account’s password or a recovery key, it is necessary to specify the following:

  1. The relevant encrypted APFS volume
  2. The relevant user UUID, unless using an institutional recovery key.
  3. The relevant account password, personal recovery key or institutional recovery key.

If you are planning to use a user account’s password to decrypt, you will first need to correctly identify the relevant encrypted APFS volume and which UUID you want to use. The encrypted APFS volume must also be unlocked and ready for decryption

You can get the UUID of a user account by running the command shown below and matching which UUID belongs to the account you want to use.

fdesetup list

Screen Shot 2019 01 14 at 9 23 33 PM

If you are not booted from the encrypted drive, there is another way to get the UUID but it does not include the account name.

diskutil apfs listcryptousers /dev/apfs_volume_id_goes_here

Screen Shot 2019 01 14 at 9 19 59 PM

In this case, use the UUID associated with the Local Open Directory  User entry.

Unfortunately, this may lead to some guesswork on your part if there is more than one FileVault enabled account enabled. With multiple accounts enabled, there will be will be multiple Local Open Directory  User entries.

Decrypting using an account password:

Once you have access to the UUID and password of one of the enabled accounts on the encrypted APFS volume, you can decrypt using the command below. You will be prompted to provide the password:

diskutil apfs decryptVolume /dev/apfs_volume_id_goes_here -user uuid_goes_here

Screen Shot 2019 01 14 at 9 50 12 PM

Decrypting using a personal recovery key:

If you want to use the personal recovery key, the PRK has its own UUID which only appears if you run the following command:

diskutil apfs listcryptousers /dev/apfs_volume_id_goes_here

 

In this case, use the UUID associated with the Personal Recovery User entry.

 

If you have access to the personal recovery key associated with the encrypted APFS volume, you can decrypt using the command below. You will need to provide the relevant UUID and the alphanumeric recovery key as part of the command.

diskutil apfs decryptVolume /dev/apfs_volume_id_goes_here -user uuid_goes_here -passphrase personal_recovery_key_goes_here

Screen Shot 2019 01 14 at 10 01 48 PM

Decrypting using an institutional recovery key:

If you want to use the institutional recovery key, decryption using an IRK does not require the use of UUIDs. Instead, once the recovery key and the encrypted drive have both been unlocked, you can decrypt using the command shown below.

diskutil apfs decryptVolume /dev/apfs_volume_id_goes_here -recoverykeychain /path/to/filename_here.keychain

Screen Shot 2019 01 14 at 10 40 48 PM

Monitoring decryption

You can monitor decryption of the APFS volume from the command line by running the following command:

diskutil apfs list

Screen Shot 2019 01 14 at 10 50 13 PM

You can also monitor it via the following means:

  1. Boot from the decrypting drive.
  2. Open System Preferences
  3. Open the Security & Privacy preference pane
  4. Click the FileVault tab
  5. View the current decryption status

Screen Shot 2019 01 14 at 10 50 12 PM

  1. Peter Trondsen
    January 15, 2019 at 6:44 pm

    Will this also work if the encryption was done with the user’s iCloud account?

    Cryptographic users for disk1s1 (4 found)
    |
    +– 7251A7A3-7B33-440E-9A65-A85AD5629F8F
    | Type: Local Open Directory User
    |
    +– EC1C2AD9-B618-4ED6-BD8D-50F361C27507
    | Type: iCloud Recovery User
    |
    +– 64C0C6EB-0000-11AA-AA11-00306543ECAC
    | Type: iCloud Recovery External Key
    |
    +– E9327782-4A9C-4F16-B488-4113785E6DA0
    Type: Local Open Directory User

  2. Carlos Echevarria
    January 15, 2019 at 7:24 pm

    Sir, as always many, many thanks. I owe you a 6 pack of diet Cokes.
    Gracias

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: