As part of working with FileVault on macOS Mojave, it may be necessary to decrypt an encrypted boot drive in order to fix a problem. On Mojave all boot volumes will use Apple File System (APFS), so to unlock or decrypt an encrypted boot drive from the command line, you will need to do the following:
- Identify the relevant encrypted APFS volume
- Unlock the encrypted APFS volume
- If needed, decrypt the encrypted APFS volume
For more details, see below the jump.
Identifying the encrypted APFS volume
A necessary pre-requisite to unlocking APFS encryption is to identify the correct encrypted volume. To do this, open Terminal and run the following command:
diskutil apfs list
Running that command will give you a listing of all APFS containers and volumes. To help identify what you’re looking for, I’ve highlighted the identifier of the encrypted APFS volume in this example:
Unlocking the encrypted APFS volume
If you have access to the password of one of the enabled accounts on the encrypted APFS volume, you can unlock using the command shown on the screen. You will be prompted to provide the password.
diskutil apfs unlockVolume /dev/apfs_volume_id_goes_here
If you have access to the personal recovery key associated with the encrypted APFS volume, you can unlock using the command shown on the screen. You will need to provide the recovery key as part of the command.
diskutil apfs unlockVolume /dev/apfs_volume_id_goes_here -passphrase personal_recovery_key_goes_here
If using an institutional recovery key, you can unlock the encryption using a FileVaultMaster keychain that contains both the public and private key of your institutional recovery key. One requirement is that you will need to be booted from a Recovery HD partition or from Internet Recovery. Here’s how to do this:
1. Copy the FileVaultMaster keychain that contains both the public and private key of your institutional recovery key to a drive that you can access from Recovery HD.
2. Boot to Recovery HD.
3. Open Terminal.
4. Get the APFS volume ID of the encrypted drive by running the following command:
diskutil apfs list
5. With the APFS volume ID information acquired, run the following command to unlock the FileVaultMaster.keychain:
security unlock-keychain /path/to/FileVaultMaster.keychain
Once this command is run, you’ll need to enter the keychain’s password when prompted. If the password is accepted, you’ll be taken to the next prompt.
6. Run the following command to unlock the encrypted APFS volume on the encrypted Mac:
diskutil apfs unlockVolume /dev/apfs_volume_id_goes_here -recoverykeychain /path/to/FileVaultMaster.keychain
7. You should then see output similar to the following:
Decrypting the encrypted APFS volume
Once the drive has been unlocked, you can then decrypt the APFS volume. In order to decrypt using a user account’s password or a recovery key, it is necessary to specify the following:
- The relevant encrypted APFS volume
- The relevant user UUID, unless using an institutional recovery key.
- The relevant account password, personal recovery key or institutional recovery key.
If you are planning to use a user account’s password to decrypt, you will first need to correctly identify the relevant encrypted APFS volume and which UUID you want to use. The encrypted APFS volume must also be unlocked and ready for decryption
You can get the UUID of a user account by running the command shown below and matching which UUID belongs to the account you want to use.
fdesetup list
If you are not booted from the encrypted drive, there is another way to get the UUID but it does not include the account name.
diskutil apfs listcryptousers /dev/apfs_volume_id_goes_here
In this case, use the UUID associated with the Local Open Directory User entry.
Unfortunately, this may lead to some guesswork on your part if there is more than one FileVault enabled account enabled. With multiple accounts enabled, there will be will be multiple Local Open Directory User entries.
Decrypting using an account password:
Once you have access to the UUID and password of one of the enabled accounts on the encrypted APFS volume, you can decrypt using the command below. You will be prompted to provide the password:
diskutil apfs decryptVolume /dev/apfs_volume_id_goes_here -user uuid_goes_here
Decrypting using a personal recovery key:
If you want to use the personal recovery key, the PRK has its own UUID which only appears if you run the following command:
diskutil apfs listcryptousers /dev/apfs_volume_id_goes_here
In this case, use the UUID associated with the Personal Recovery User entry.
If you have access to the personal recovery key associated with the encrypted APFS volume, you can decrypt using the command below. You will need to provide the relevant UUID and the alphanumeric recovery key as part of the command.
diskutil apfs decryptVolume /dev/apfs_volume_id_goes_here -user uuid_goes_here -passphrase personal_recovery_key_goes_here
Decrypting using an institutional recovery key:
If you want to use the institutional recovery key, decryption using an IRK does not require the use of UUIDs. Instead, once the recovery key and the encrypted drive have both been unlocked, you can decrypt using the command shown below.
diskutil apfs decryptVolume /dev/apfs_volume_id_goes_here -recoverykeychain /path/to/filename_here.keychain
Monitoring decryption
You can monitor decryption of the APFS volume from the command line by running the following command:
diskutil apfs list
You can also monitor it via the following means:
- Boot from the decrypting drive.
- Open System Preferences
- Open the Security & Privacy preference pane
- Click the FileVault tab
- View the current decryption status
