Unlocking or decrypting a FileVault 2-encrypted Fusion drive from the command line can be a little different from how you would handle a non-Fusion drive. This is because Apple has created Fusion drives by using the Core Storage volume manager that they first introduced in OS X 10.7.x. Normally when you enable FileVault 2, there is not an existing Core Storage volume on the drive being encrypted and the FileVault 2 process creates it. When a drive is decrypted using the diskutil cs revert command, that CoreStorage volume is then removed as part of the process.
However, with Fusion drives, not only is there an existing CoreStorage volume present before encryption, you want to make sure it’s not being removed as part of the decryption process. Doing so would destroy the Fusion drive setup and potentially result in the loss of all data stored on the Fusion drive.
There’s two tools that you can use to safely decrypt a Fusion drive on OS X Mavericks:
fdesetup
fdesetup includes the disable verb, which turns off FileVault 2 encryption on a FileVault 2-encrypted Mac. To decrypt using fdesetup, run the following command with root privileges:
fdesetup disable
You’ll be prompted for the password of an account that’s authorized to unlock the encryption, or the personal recovery key if available. Once provided, decryption of the encrypted volume will begin. One limitation of using fdesetup to decrypt is that you’ll need to be booted from the same boot drive that you want to decrypt, as you can’t specify a different drive with fdesetup.
diskutil
diskutil is able to decrypt FileVault 2-encrypted drives other than the one you’re booted from, but you’ll need to identify the Logical Volume UUID of the encrypted drive using the following command:
diskutil cs list
Running that command will give you a listing of all Core Storage volumes. To help identify what you’re looking for, I’ve highlighted the UUID of the encrypted drive in this example:
Once you have the UUID, you can then either unlock or decrypt the encrypted volume using the following commands. If the goal is to decrypt, be aware that you’ll need to unlock the drive first.
Using the password of an authorized account on the command line
To unlock, run the following command:
diskutil cs unlockVolume UUID -stdinpassphrase
The -stdinpassphrase flag will cause the command to prompt you for the password of an account that’s authorized to unlock the encryption. If successful, the drive will unlock and mount. You should see output similar to that shown below.
Once you’ve unlocked the disk, you can then decrypt it and return it to being an unencrypted Core Storage volume.
To decrypt, run the following command:
diskutil cs decryptVolume UUID -stdinpassphrase
You’ll be prompted for the password of an account that’s authorized to unlock the encryption. Once provided, decryption of the encrypted volume will begin.
Using the personal recovery key on the command line
If you don’t have the password of any of the authorized accounts and the Mac has a personal recovery key associated with it, you can use the personal recovery key to authorize. The commands are mostly the same, but instead of using the -stdinpassphrase flag, you instead use -passphrase and enter the recovery key.
To unlock, run the following command:
diskutil cs unlockVolume UUID -passphrase recoverykey
If successful, the drive will unlock and mount. You should see output similar to that shown below.
Once you’ve unlocked the drive, you should also be able to decrypt it using this command:
diskutil cs decryptVolume UUID -passphrase recoverykey
Using the institutional recovery key on the command line
Assuming that the FileVault 2 encryption on your Fusion drive is using an institutional key, you can unlock or decrypt the encryption using a FileVaultMaster keychain that contains both the public and private key of your institutional recovery key. One requirement is that you will need to be booted from a Recovery HD partition or from Internet Recovery. Here’s how to do this:
1. Copy the FileVaultMaster keychain that contains both the public and private key of your institutional recovery key to a drive that you can access from Recovery HD.
2. Boot to Recovery HD.
3. Get the Logical Volume UUID of the encrypted drive by running the following command:
diskutil cs list
4. With the UUID information acquired, run the following command to unlock the FileVaultMaster.keychain:
security unlock-keychain /path/to/FileVaultMaster.keychain
Once this command is run, you’ll need to enter the keychain’s password when prompted. If the password is accepted, you’ll be taken to the next prompt.
5. Run the following command to unlock the encrypted Core Storage volume on the encrypted Mac:
diskutil cs unlockVolume UUID -recoveryKeychain /path/to/FileVaultMaster.keychain
6. You should then see output similar to the following:
Once you’ve unlocked the disk, you can then decrypt the encrypted Core Storage volume by running the following command:
diskutil cs decryptVolume UUID -recoveryKeychain /path/to/FileVaultMaster.keychain
Verifying decryption
Once the Fusion drive has been completely decrypted, it should still be listed as a Core Storage volume when diskutil cs list is run. The relevant values to check if a Fusion drive is encrypted or not are these:
Encryption Type:
Conversion Status:
Conversion Direction:
Has Encrypted Extents:
On an encrypted Fusion drive, these values should be like the ones shown below:
Encryption Type: AES-XTS
Conversion Status: Complete
Conversion Direction: -none-
Has Encrypted Extents: Yes
On an decrypting Fusion drive, these values should be like the ones shown below:
Encryption Type: AES-XTS
Conversion Status: Converting
Conversion Direction: backward
Has Encrypted Extents: Yes
On a Fusion drive that has just been decrypted, these values should be like the ones shown below:
Encryption Type: AES-XTS
Conversion Status: NoConversion
Conversion Direction: -none-
Has Encrypted Extents: No
On a Fusion drive that has never been encrypted, or been decrypted then restarted at least once since the decryption finished, these values should be like the ones shown below:
Encryption Type: None
Conversion Status: NoConversion
Conversion Direction: -none-
Has Encrypted Extents: No
