Mac OS X Maverick filevault2 Guide.

Rusli
Rusli Posts: 1,022 Influencer

F-Secure please do not delete this post. It is a life saver to troubleshooting things!

------------------------------------------------------------------------------------------------------------

 

Keep this link very handy.

 

You might need it to decrypt and unlock your filevaut hard disk on your Mac OS X.

 

Many people make a mistake by note jotting down the series of strings Filevault recovery key.

 

And did not sync to iCloud.

 

How the knowledge base from Apple give a guide to you to decrypt and unlock your encrypted filevault storage hard disk drive.

 

The methods are base on this link:-

 

http://support.apple.com/kb/HT5077

 

OS X: How to create and deploy a recovery key for FileVault 2

Learn how to create and deploy a recovery key for use with FileVault 2 in order to recover encrypted data after a lost user password, in this advanced article.

Use the steps below to create a master password, delete the private key, distribute the updated FileVaultMaster.keychain to clients and then recover encrypted data after a lost user password.

Create a master password

    Open System Preferences and select the Users & Groups preference pane.
    If locked, click the lock icon to authenticate.
    Click the Services button and then select "Set Master Password…" from the pop-up menu.
    Create a master password using the sheet that appears. You can use the Password Assistant to help you create a strong password. Once set, the following files are created:

    /Library/Keychains/FileVaultMaster.cer
    /Library/Keychains/FileVaultMaster.keychain
     
    Copy the /Library/Keychains/FileVaultMaster.keychain file to a safe location for storage, such as an external drive or an encrypted disk image on another physical disk. This file contains the private key required to unlock the encrypted disc. You can safely delete the /Library/Keychains/FileVaultMaster.cer file.

Delete the private key

    Double-click /Library/Keychains/FileVaultMaster.keychain in the Finder to open the keychain with Keychain Access.
    In Keychain Access, select FileVaultMaster from the list of keychains on the left.
    Delete the "FileVault Master Password Key" by highlighting it and then pressing the Delete key on your keyboard. Click Delete in the resulting dialog.
    Quit Keychain Access.
    Copy the updated /Library/Keychains/FileVaultMaster.keychain file to another location. This file can be distributed to clients to be used by FileVault.

Distribute FileVaultMaster.keychain

Using your preferred method of distribution, copy and install the FileVaultMaster.keychain file into /Library/Keychains/ on client computers. Make sure the ownership and permissions are correct, for example:

-rw-r--r--  1 root  wheel  23540 Dec  7 13:55 /Library/Keychains/FileVaultMaster.keychain

If necessary, the following commands will configure the correct ownership and permissions, respectively:

sudo chown root:wheel /Library/Keychains/FileVaultMaster.keychain
sudo chmod 644 /Library/Keychains/FileVaultMaster.keychain
 

Enabling FileVault 2

When turning on FileVault 2 in System Preferences, an alert appears informing the user that a recovery key has been set by their company, school, or institution.


Recovery

If a user forgets their password, and a recovery key was installed before FileVault 2 was turned on, you can use the following steps to unlock an encrypted disk. Note: This procedure only works when the computer is started from OS X Recovery.

    Restart the client while holding the Command and R keys.
    Connect an external drive containing the FileVaultMaster.keychain file with the private key.
    From the Utilities menu, select Terminal.
    If the keychain containing the private key is stored in an encrypted disk image, use the following command to mount it:

    hdiutil attach /path/to/diskImage

    Use the following command to unlock the FileVaultMaster.keychain file; be sure to insert the correct path to your keychain file:

    security unlock-keychain <path to Keychain File>

    For example, on a volume named ThumbDrive:
    security unlock-keychain /Volumes/ThumbDrive/FileVaultMaster.keychain
    Enter the master password to unlock the keychain. If the password is accepted the command prompt will return.
    Use the following command to list the drives and corestorage volumes:

    diskutil cs list
     
    Look for the UUID of Logical Volume, usually the last in the list. Select and copy the UUID for the next command step.
    Use the following command to unlock the encrypted disk. Be sure to insert the UUID from the previous step, and the correct path to the keychain file:

    diskutil cs unlockVolume <UUID> -recoveryKeychain <path to Keychain File>

    For example, you'd use this command if there was a UUID of 2F227AED-1398-42F8-804D-882199ABA66B on a volume named ThumbDrive:
    diskutil cs unlockVolume 2F227AED-1398-42F8-804D-882199ABA66B -recoveryKeychain /Volumes/ThumbDrive/FileVaultMaster.keychain
     
    Enter the master password to unlock the keychain. The volume will be mounted. You can now back up data using Disk Utility, or by using command line tools such as ditto.

 
Additional Information

See also OS X: About FileVault 2.
Last Modified: Nov 6, 2013

 

Comments

  • Rusli
    Rusli Posts: 1,022 Influencer

    There are other link!!!

     

    Book mark this!!!

     

    http://derflounder.wordpress.com/2014/08/12/problems-decrypting-filevault-2-encrypted-drives-while-booted-from-mavericks-recovery-hd/

     

    Go to the link above and see the actual screenshots!

     

    There are other links that illustrate this methods:-

     

    Bookmark this link!!!

     

    http://derflounder.wordpress.com/2014/08/12/problems-decrypting-filevault-2-encrypted-drives-while-booted-from-mavericks-recovery-hd/

     

    Problems decrypting FileVault 2 encrypted drives while booted from Mavericks’ Recovery HD
    August 12, 2014 rtrouton    Leave a comment Go to comments

    While working with a colleague to prepare a FileVault 2 rollout at his institution, he reported that in his testing, the decryption process did not appear to be working correctly when he was booted from the Recovery HD partition and using the command line diskutil-based decryption procedure that I had posted. In his testing, he was finding that the CoreStorage volume that the FileVault 2 encryption process created was not being removed when the diskutil corestorage revert command was run. The drive was being decrypted, but the CoreStorage volume was being left behind. This caused problems in his testing, because he found that rebooting afterwards led to the Mac booting to a prohibited sign.

    Screen Shot 2014-08-11 at 9.02.14 PM

    This symbol at boot means the system has found a bootable installation of Mac OS X on the system, but there is something wrong with it.

    After some additional testing, he discovered that he actually needed to run diskutil corestorage revert twice in succession. Running diskutil corestorage revert the first time would decrypt the drive. Running diskutil corestorage revert a second time following the first command would then remove the unencrypted CoreStorage volume. Once the CoreStorage volume was removed, the Mac would then be able to reboot normally to the regular boot drive.

    The behavior seems to be tied to the following:

    1. Booting from a Mavericks Recovery HD partition (all testing was done with a 10.9.4 Recovery HD partition.)

    2. Decrypting either of the following methods:

    A. Using Recovery HD‘s Disk Utility to decrypt the FileVault 2-encrypted boot drive. This decryption method is described here.

    B. Running diskutil corestorage -revert from the Terminal. This decryption method is described here.

    3. Letting the drive get to Conversion Progress: 100% while booted from the Recovery HD partition. Conversion Progress status can be displayed by running the diskutil corestorage list command in Terminal.

    Screen Shot 2014-08-11 at 7.47.05 PM

    4. Rebooting back to the main boot drive once Conversion Progress: has reached 100%.

    The end result is a locked CoreStorage volume that will not unlock or mount on boot, or when accessed from a Recovery HD partition or Apple’s Internet Recovery. This was the root cause for the prohibited symbol at boot that my colleague was receiving.

    In my testing, I did find it was possible to decrypt the drive via Disk Utility or the command line when it was attached as an external drive (via Target Disk Mode or other means) to a Mac that was booted to a full version of OS X 10.9.x. Once decrypted, I verified that the CoreStorage volume was removed. Once I had verified that, I further verified that I could now boot normally from the previously non-bootable hard drive.

    One drawback to decrypting while attached to a regular 10.9.x boot drive is that you are not able to use an Institutional Recovery Key (IRK). Using that kind of recovery key for unlocking or decryption only works when booted from a Recovery HD partition or Internet Recovery. Since that’s precisely where our problem exists, I investigated further to see if there were alternate workarounds for this problem. For more details and the workarounds I found, see below the jump.

    In my testing, I identified two workarounds for this issue:

    A. Reboot from the Recovery HD partition before the drive fully decrypts

    It appears that the issue is specific to completely finishing decryption while booted from a Mavericks Recovery HD partition. However, if you start decryption on a drive, then reboot, decryption will continue after the reboot.

    To take advantage of this behavior, I tested and verified that if you start decryption while booted from the Recovery HD partition, then reboot from the Recovery HD partition to a drive running a full version of OS X 10.9.x, decryption will complete normally. As part of the decryption process, the CoreStorage volume is properly removed and the drive is converted back to a normal HFS+ drive.

    B. Decrypt using the command line and run diskutil corestorage revert twice

    In my testing, I verified my colleague’s finding that running diskutil corestorage revert will decrypt the drive. Once Conversion Progress: has reached 100%, running a second diskutil corestorage revert command will result in the the CoreStorage volume being removed and converting the drive back to a normal HFS+ drive. On reboot, the formerly encrypted drive will boot normally.

    When you run the first diskutil corestorage revert command, you should see output like this:
    1
    2
    3
    4
    5
        
    Started CoreStorage operation on disk14 Macintosh HD
    Core Storage LV UUID: D28C59B2-3720-4A3F-BCB0-6731338CEE44
    Core Storage disk: disk0s2
    Finished CoreStorage operation on disk14 Mac HD
    Decryption in progress; use `diskutil coreStorage list` for status

    Once Conversion Progress: has reached 100% and you run the second diskutil corestorage revert command, you should see output like this:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
        
    Started CoreStorage operation on disk14 Macintosh HD
    Switching partition from Core Storage type to original type
    Reclaiming space formerly used by Core Storage metadata
    Ejected Logical Volume
    Removing Physical Volume
    Destroying Logical Volume Group
    Remounting former Physical Volume as normal disk
    Core Storage LV UUID: D28C59B2-3720-4A3F-BCB0-6731338CEE44
    Core Storage disk: disk0s2
    Finished CoreStorage operation on disk14 Macintosh HD
    Decryption in progress; use `diskutil coreStorage list` for status

    See below for screenshots showing how this should look for the following commands:
    1
        
    diskutil corestorage revert UUID_here -stdinpassphrase

    Screen Shot 2014-08-11 at 8.16.56 PM
    1
        
    diskutil corestorage revert UUID_here -passphrase recoverykey_here

    Screen Shot 2014-08-11 at 7.58.18 PM
    1
        
    diskutil corestorage revert UUID_here -recoveryKeychain /path/to/FileVaultMaster.keychain

    Screen Shot 2014-08-11 at 3.29.28 PM

    I’ve filed a bug report with Apple about this issue. If you want to duplicate it, the bug ID number is available below:

  • Rusli
    Rusli Posts: 1,022 Influencer

    Go to this link to see the actual screenshots!

     

    http://derflounder.wordpress.com/2011/11/23/using-the-command-line-to-unlock-or-decrypt-your-filevault-2-encrypted-boot-drive/

     

     

    Unlock or decrypt your FileVault 2-encrypted boot drive from the command line
    November 23, 2011 rtrouton    Leave a comment Go to comments

    In addition to using Disk Utility, you can also use the command line to unlock or decrypt a FileVault 2-encrypted drive. In order to make sure it all works, I recommend that you use the Recovery HD partition or the Recovery HD partition cloned onto an external drive. See below the jump for the procedure.


    Update – June 11, 2013: As of Mac OS X 10.8.4, you will need to unlock the encrypted volume first, then you will be able to decrypt it. See this post for details.


    Update – April 27, 2014: If you are working with a Fusion Drive, do not use the decryption instructions included with this post. See this post for how to unlock or decrypt a Fusion drive.


    Update – August 11, 2014: Problems have been found when decrypting from Mavericks’ Recovery HD. See this post for a description of the problem and available workarounds.

    To start with, you will need to identify the Logical Volume UUID of the encrypted drive using the diskutil corestorage list command:


    diskutil corestorage list


    diskutil_corestorage_list

    Running that command will give you a listing of all Core Storage volumes. To help identify what you’re looking for, I’ve highlighted the UUID of the encrypted drive in this example:

    Screen Shot 2011-06-25 at 10.54.27 AM

    Once you have the UUID, you can then either unlock or unencrypt the encrypted volume using the following commands.

    Using the password of an authorized account on the command line

    To unlock: diskutil corestorage unlockVolume UUID -stdinpassphrase


    Screen Shot 2011-06-25 at 9.16.15 AM

    The -stdinpassphrase flag will cause the command to prompt you for the password/passphrase of an account that’s authorized to unlock the encryption.

    If successful, the drive will unlock and mount. You should see output similar to that shown below.

    Screen Shot 2011-06-25 at 9.16.25 AM

    Once you’ve unlocked the disk, you can then revert it back from being an encrypted volume.

    To decrypt: diskutil corestorage revert UUID -stdinpassphrase

    Screen Shot 2011-06-25 at 11.17.33 AM

    You’ll be prompted for the password/passphrase of an account that’s authorized to unlock the encryption. Once provided, decryption of the encrypted volume will begin.

    To track its progress, you can use the diskutil corestorage list command. To help identify the decryption status, I’ve highlighted the relevant sections to check in the list.

    Screen Shot 2011-06-25 at 11.19.08 AM

    Once the drive has been completely decrypted, it will no longer be listed as a CoreStorage volume by diskutil corestorage list. In Disk Utility, it should appear as a normal hard drive.

    Using the FileVault 2-generated individual recovery key on the command line

    If you don’t have the password of any of the authorized accounts and you are not using an institutional recovery key with FileVaultMaster.keychain, you can use the FileVault 2-generated individual recovery key instead. The commands are mostly the same, but instead of using the -stdinpassphrase flag, you instead use -passphrase and enter the recovery key.

    To unlock: diskutil corestorage unlockVolume UUID -passphrase recoverykey


    Screen Shot 2011-06-25 at 2.03.35 PM

    If successful, the drive will unlock and mount. You should see output similar to that shown below.

    Screen Shot 2011-06-25 at 2.05.08 PM

    Once you’ve unlocked the drive, you should also be able to unencrypt it using this command: diskutil corestorage revert UUID -passphrase recoverykey


    Screen Shot 2011-06-25 at 2.11.34 PM


    Using FileVaultMaster.keychain on the command line

    At this time, it’s only possible to unlock or decrypt from the command line if you’re using a institutional recovery key that’s been set with FileVaultMaster.keychain. Here’s how you can unlock the encryption using an institutional recovery key with FileVaultMaster.keychain:

    1. Copy your FileVaultMaster recovery keychain from the safe place your institution stored it in to a drive that you can access from Recovery HD.

    2. Boot to the Recovery HD partition or the Recovery HD partition cloned onto an external drive.

    3. Get the Logical Volume UUID of the encrypted drive by running diskutil corestorage list.

    4. With the UUID information acquired, run the following command to unlock the FileVaultMaster.keychain:

    security unlock-keychain /path/to/FileVaultMaster.keychain


    Screen Shot 2011-08-06 at 10.33.55 AM

    Once this command is run, you’ll need to enter your institution’s Master Password when prompted. If the password is accepted, you’ll be taken to the next prompt.

    5. Run the following command to unlock the encrypted Core Storage volume on the encrypted Mac:

    diskutil corestorage unlockVolume UUID -recoveryKeychain /path/to/FileVaultMaster.keychain

    Screen Shot 2011-07-10 at 9.40.50 PM

    6. You should then see output similar to the following:


    Started CoreStorage operation
    Logical Volume successfully unlocked
    Logical Volume successfully attached as disk4
    Logical Volume successfully mounted as /Volumes/Macintosh HD
    Core Storage disk: disk4

    At this point, with the disk unlocked and mounted, you should be able to recover your data using whatever tools you prefer.

    Once you’ve unlocked the disk, you can also then decrypt the encrypted volume by running the following command:

    diskutil corestorage revert UUID -recoveryKeychain /path/to/FileVaultMaster.keychain

    Screen Shot 2011-07-10 at 9.40.50 PM

    Once it’s decrypted, you should have full access to your hard disk’s data.
    17985943

  • Rusli
    Rusli Posts: 1,022 Influencer

    Go to this link to see the actual screenshots!

     

    http://derflounder.wordpress.com/2014/04/27/unlocking-or-decrypting-a-filevault-2-encrypted-fusion-drive-from-the-command-line/

     

    Unlock or decrypt your FileVault 2-encrypted boot drive from the command line
    November 23, 2011 rtrouton    Leave a comment Go to comments

    In addition to using Disk Utility, you can also use the command line to unlock or decrypt a FileVault 2-encrypted drive. In order to make sure it all works, I recommend that you use the Recovery HD partition or the Recovery HD partition cloned onto an external drive. See below the jump for the procedure.


    Update – June 11, 2013: As of Mac OS X 10.8.4, you will need to unlock the encrypted volume first, then you will be able to decrypt it. See this post for details.


    Update – April 27, 2014: If you are working with a Fusion Drive, do not use the decryption instructions included with this post. See this post for how to unlock or decrypt a Fusion drive.


    Update – August 11, 2014: Problems have been found when decrypting from Mavericks’ Recovery HD. See this post for a description of the problem and available workarounds.

    To start with, you will need to identify the Logical Volume UUID of the encrypted drive using the diskutil corestorage list command:


    diskutil corestorage list


    diskutil_corestorage_list

    Running that command will give you a listing of all Core Storage volumes. To help identify what you’re looking for, I’ve highlighted the UUID of the encrypted drive in this example:

    Screen Shot 2011-06-25 at 10.54.27 AM

    Once you have the UUID, you can then either unlock or unencrypt the encrypted volume using the following commands.

    Using the password of an authorized account on the command line

    To unlock: diskutil corestorage unlockVolume UUID -stdinpassphrase


    Screen Shot 2011-06-25 at 9.16.15 AM

    The -stdinpassphrase flag will cause the command to prompt you for the password/passphrase of an account that’s authorized to unlock the encryption.

    If successful, the drive will unlock and mount. You should see output similar to that shown below.

    Screen Shot 2011-06-25 at 9.16.25 AM

    Once you’ve unlocked the disk, you can then revert it back from being an encrypted volume.

    To decrypt: diskutil corestorage revert UUID -stdinpassphrase

    Screen Shot 2011-06-25 at 11.17.33 AM

    You’ll be prompted for the password/passphrase of an account that’s authorized to unlock the encryption. Once provided, decryption of the encrypted volume will begin.

    To track its progress, you can use the diskutil corestorage list command. To help identify the decryption status, I’ve highlighted the relevant sections to check in the list.

    Screen Shot 2011-06-25 at 11.19.08 AM

    Once the drive has been completely decrypted, it will no longer be listed as a CoreStorage volume by diskutil corestorage list. In Disk Utility, it should appear as a normal hard drive.

    Using the FileVault 2-generated individual recovery key on the command line

    If you don’t have the password of any of the authorized accounts and you are not using an institutional recovery key with FileVaultMaster.keychain, you can use the FileVault 2-generated individual recovery key instead. The commands are mostly the same, but instead of using the -stdinpassphrase flag, you instead use -passphrase and enter the recovery key.

    To unlock: diskutil corestorage unlockVolume UUID -passphrase recoverykey


    Screen Shot 2011-06-25 at 2.03.35 PM

    If successful, the drive will unlock and mount. You should see output similar to that shown below.

    Screen Shot 2011-06-25 at 2.05.08 PM

    Once you’ve unlocked the drive, you should also be able to unencrypt it using this command: diskutil corestorage revert UUID -passphrase recoverykey


    Screen Shot 2011-06-25 at 2.11.34 PM


    Using FileVaultMaster.keychain on the command line

    At this time, it’s only possible to unlock or decrypt from the command line if you’re using a institutional recovery key that’s been set with FileVaultMaster.keychain. Here’s how you can unlock the encryption using an institutional recovery key with FileVaultMaster.keychain:

    1. Copy your FileVaultMaster recovery keychain from the safe place your institution stored it in to a drive that you can access from Recovery HD.

    2. Boot to the Recovery HD partition or the Recovery HD partition cloned onto an external drive.

    3. Get the Logical Volume UUID of the encrypted drive by running diskutil corestorage list.

    4. With the UUID information acquired, run the following command to unlock the FileVaultMaster.keychain:

    security unlock-keychain /path/to/FileVaultMaster.keychain


    Screen Shot 2011-08-06 at 10.33.55 AM

    Once this command is run, you’ll need to enter your institution’s Master Password when prompted. If the password is accepted, you’ll be taken to the next prompt.

    5. Run the following command to unlock the encrypted Core Storage volume on the encrypted Mac:

    diskutil corestorage unlockVolume UUID -recoveryKeychain /path/to/FileVaultMaster.keychain

    Screen Shot 2011-07-10 at 9.40.50 PM

    6. You should then see output similar to the following:


    Started CoreStorage operation
    Logical Volume successfully unlocked
    Logical Volume successfully attached as disk4
    Logical Volume successfully mounted as /Volumes/Macintosh HD
    Core Storage disk: disk4

    At this point, with the disk unlocked and mounted, you should be able to recover your data using whatever tools you prefer.

    Once you’ve unlocked the disk, you can also then decrypt the encrypted volume by running the following command:

    diskutil corestorage revert UUID -recoveryKeychain /path/to/FileVaultMaster.keychain

    Screen Shot 2011-07-10 at 9.40.50 PM

    Once it’s decrypted, you should have full access to your hard disk’s data.
    17985943



    Unlocking or decrypting a FileVault 2-encrypted Fusion Drive from the command line
    April 27, 2014 rtrouton    Leave a comment Go to comments

    Unlocking or decrypting a FileVault 2-encrypted Fusion drive from the command line can be a little different from how you would handle a non-Fusion drive. This is because Apple has created Fusion drives by using the Core Storage volume manager that they first introduced in OS X 10.7.x. Normally when you enable FileVault 2, there is not an existing Core Storage volume on the drive being encrypted and the FileVault 2 process creates it. When a drive is decrypted using the diskutil cs revert command, that CoreStorage volume is then removed as part of the process.

    However, with Fusion drives, not only is there an existing CoreStorage volume present before encryption, you want to make sure it’s not being removed as part of the decryption process. Doing so would destroy the Fusion drive setup and potentially result in the loss of all data stored on the Fusion drive.

    There’s two tools that you can use to safely decrypt a Fusion drive on OS X Mavericks:

    fdesetup

    diskutil

    fdesetup

    fdesetup includes the disable verb, which turns off FileVault 2 encryption on a FileVault 2-encrypted Mac. To decrypt using fdesetup, run the following command with root privileges:

    1
        
    fdesetup disable

    Screen Shot 2014-04-25 at 3.13.47 PM

    You’ll be prompted for the password of an account that’s authorized to unlock the encryption, or the personal recovery key if available. Once provided, decryption of the encrypted volume will begin. One limitation of using fdesetup to decrypt is that you’ll need to be booted from the same boot drive that you want to decrypt, as you can’t specify a different drive with fdesetup.

    diskutil

    diskutil is able to decrypt FileVault 2-encrypted drives other than the one you’re booted from, but you’ll need to identify the Logical Volume UUID of the encrypted drive using the following command:
    1
        
    diskutil cs list

    Running that command will give you a listing of all Core Storage volumes. To help identify what you’re looking for, I’ve highlighted the UUID of the encrypted drive in this example:

    Screen Shot 2014-04-25 at 5.29.50 PM

    Once you have the UUID, you can then either unlock or decrypt the encrypted volume using the following commands. If the goal is to decrypt, be aware that you’ll need to unlock the drive first.

    Using the password of an authorized account on the command line

    To unlock, run the following command:
    1
        
    diskutil cs unlockVolume UUID -stdinpassphrase

    The -stdinpassphrase flag will cause the command to prompt you for the password of an account that’s authorized to unlock the encryption. If successful, the drive will unlock and mount. You should see output similar to that shown below.

    Screen Shot 2014-04-25 at 5.23.26 PM

    Once you’ve unlocked the disk, you can then decrypt it and return it to being an unencrypted Core Storage volume.

    To decrypt, run the following command:
    1
        
    diskutil cs decryptVolume UUID -stdinpassphrase

    You’ll be prompted for the password of an account that’s authorized to unlock the encryption. Once provided, decryption of the encrypted volume will begin.

    Screen Shot 2014-04-25 at 5.24.06 PM

    Using the personal recovery key on the command line


    If you don’t have the password of any of the authorized accounts and the Mac has a personal recovery key associated with it, you can use the personal recovery key to authorize. The commands are mostly the same, but instead of using the -stdinpassphrase flag, you instead use -passphrase and enter the recovery key.

    To unlock, run the following command:
    1
        
    diskutil cs unlockVolume UUID -passphrase recoverykey

    If successful, the drive will unlock and mount. You should see output similar to that shown below.

    Screen Shot 2014-04-25 at 4.47.33 PM

    Once you’ve unlocked the drive, you should also be able to decrypt it using this command:
    1
        
    diskutil cs decryptVolume UUID -passphrase recoverykey

    Screen Shot 2014-04-25 at 4.48.53 PM

    Using the institutional recovery key on the command line

    Assuming that the FileVault 2 encryption on your Fusion drive is using an institutional key, you can unlock or decrypt the encryption using a FileVaultMaster keychain that contains both the public and private key of your institutional recovery key. One requirement is that you will need to be booted from a Recovery HD partition or from Internet Recovery. Here’s how to do this:

    1. Copy the FileVaultMaster keychain that contains both the public and private key of your institutional recovery key to a drive that you can access from Recovery HD.

    2. Boot to Recovery HD.

    3. Get the Logical Volume UUID of the encrypted drive by running the following command:
    1
        
    diskutil cs list

    4. With the UUID information acquired, run the following command to unlock the FileVaultMaster.keychain:
    1
        
    security unlock-keychain /path/to/FileVaultMaster.keychain

    Screen Shot 2014-04-25 at 5.07.45 PM

    Once this command is run, you’ll need to enter the keychain’s password when prompted. If the password is accepted, you’ll be taken to the next prompt.

    5. Run the following command to unlock the encrypted Core Storage volume on the encrypted Mac:
    1
        
    diskutil cs unlockVolume UUID -recoveryKeychain /path/to/FileVaultMaster.keychain

    6. You should then see output similar to the following:

    Screen Shot 2014-04-25 at 5.10.20 PM

    Once you’ve unlocked the disk, you can then decrypt the encrypted Core Storage volume by running the following command:
    1
        
    diskutil cs decryptVolume UUID -recoveryKeychain /path/to/FileVaultMaster.keychain

    Screen Shot 2014-04-25 at 5.10.46 PM

    Verifying decryption
    Once the Fusion drive has been completely decrypted, it should still be listed as a Core Storage volume when diskutil cs list is run. The relevant values to check if a Fusion drive is encrypted or not are these:

    Encryption Type:
    Conversion Status:
    Conversion Direction:
    Has Encrypted Extents:

    On an encrypted Fusion drive, these values should be like the ones shown below:

    Encryption Type: AES-XTS
    Conversion Status: Complete
    Conversion Direction: -none-
    Has Encrypted Extents: Yes

    Screen Shot 2014-04-27 at 2.35.30 PM

    On an decrypting Fusion drive, these values should be like the ones shown below:

    Encryption Type: AES-XTS
    Conversion Status: Converting
    Conversion Direction: backward
    Has Encrypted Extents: Yes

    Screen Shot 2014-04-25 at 5.42.18 PM

    On a Fusion drive that has just been decrypted, these values should be like the ones shown below:

    Encryption Type: AES-XTS
    Conversion Status: NoConversion
    Conversion Direction: -none-
    Has Encrypted Extents: No

    Screen Shot 2014-04-25 at 5.49.39 PM

    On a Fusion drive that has never been encrypted, or been decrypted then restarted at least once since the decryption finished, these values should be like the ones shown below:

    Encryption Type: None
    Conversion Status: NoConversion
    Conversion Direction: -none-
    Has Encrypted Extents: No

    Screen Shot 2014-04-27 at 2.14.29 PM
    For those who want more details on the bug report, I’ve also posted the bug report information at OpenRadar:

    http://openradar.appspot.com/radar?id=5885738759487488

     

     

This discussion has been closed.