As a follow-up to my earlier post about not being able to decrypt FileVault 2 from the Recovery HD partition, it looks like Apple has changed the process for how decryption works. Previously, you could run a command to decrypt on a locked FileVault 2-encrypted boot volume and it would decrypt.
As of 10.8.4, it appears that Apple now requires that the encrypted volume be unlocked first. Once it’s unlocked, then you can decrypt. See below the jump for details.
Here’s how the new decryption procedure works for Disk Utility:
1. Boot your Mac and hold down ⌘-R (Command –R) to boot from the Mac’s Recovery HD partition.
Note: You can also boot from a 10.8.4 installer drive , boot to Target Disk Mode and connect it via Firewire or Thunderbolt to another Mac, or use some other 10.8.4-booting drive. As long as you have 10.8.4′s Disk Utility, this should work.
2. Open Disk Utility.
3. Select your locked hard drive.
4. Under the File menu, select Unlock “Drive Name”
5. When prompted for a password, you can enter the password of any authorized account on the drive.
6. Once you unlock the disk, hold down the Option key on your keyboard and click on the File menu.
7. Under the File menu, select Turn Off Encryption… (with the Option key held down, it’s no longer grayed-out.)
8. When prompted for a password, you can enter the password of any authorized account on the drive.
9. Disk Utility should briefly display a progress window labeled Starting conversion to JHFS+
Your drive should now start decrypting.
You should also be able to unlock then decrypt your Mac from the command line, using the procedures described in this previous post.
I tested specifically to see if the institutional recovery key using FileVaultMaster.keychain worked with the new unlock-first-then-decrypt method while booted from Recovery HD. As shown below, unlocking then decrypting using the institutional recovery key works fine.
