Those accounts are in the Open Directory however are not file vault cryptousers on the disk. When I use resetpassword from the recovery mode terminal, I am able to use iCloud to unlock the disk and I can see the two user accounts. When I run “diskutil apfs listcryptousers” I only get the “iCloud Recovery User” and the “iCloud Recovery External Key”. I have a strange problem, hoping someone can help. To show the process of decrypting an unlocked encrypted APFS volume while using a personal recovery key, please see below for a video: You will need to provide the relevant UUID and the alphanumeric personal recovery key as part of the command.ĭiskutil apfs decryptVolume /dev/apfs_volume_id_goes_here -user uuid_goes_here -passphrase personal_recovery_key_goes_here If you have access to the PRK associated with the encrypted APFS volume, you can decrypt using the command below. In this case, use the UUID associated with the Personal Recovery User entry. If you want to use the PRK, the PRK has its own UUID which only appears if you run the following command: You will be prompted to provide the password:ĭiskutil apfs decryptVolume /dev/apfs_volume_id_goes_here -user uuid_goes_here Once you have access to the UUID and password of one of the enabled accounts on the encrypted APFS volume, you can unlock using the command below. However, this method will not display the account name and may require some guesswork if there is more than one FileVault enabled account enabled.ĭiskutil apfs listcryptousers /dev/apfs_volume_id_goes_here If you are not booted from the encrypted drive, there is another way to get the UUID by running the command shown below and looking at the entries listed as Local Open Directory User. If you are booted from the encrypted drive, you can get the UUID of a user account by running the command shown below and matching which UUID belongs to the account you want to use. The other assumption is that the encrypted APFS volume has been unlocked and is ready for decryption. In this case, we’ll be using the following APFS volume identifier: If you are planning to use a user account’s password to decrypt, you will first need to correctly identify the relevant encrypted APFS volume and which UUID you want to use. You can unlock an encrypted APFS volume using an IRK, but diskutil apfs decryptVolume does not include functionality for using an IRK to authenticate the decryption of an encrypted APFS volume.įor more details, please see below the jump. Note: As of macOS 10.13.2, it is not possible to decrypt an encrypted APFS volume using an institutional recovery key (IRK). The relevant account password or the PRK.In order to decrypt using a user account’s password or personal recovery key (PRK), it is necessary to specify the following:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |