Data security is at an all-time critical level. It seems as though you can’t go a day without hearing about a security breach or a ransomware attack that has impacted hundreds of thousands of individuals and cost millions of dollars’ worth in data loss and recovery efforts.
Apple’s FileVault 2 encryption program is highly recommended as a best practice for protecting data, especially mobile users’ confidential data. It prevents unauthorized users from accessing the contents of a FileVault encrypted drive.
SEE: Password management policy (Tech Pro Research)
Here’s the downside: Due to how Apple handles the setup of the encryption by tying it to the user’s login account, if you forget your password, you will not be able to access your protected data unless you have retained a physical or digital copy of the recovery key. By following any of the three methods below, armed with the all-powerful recovery key, you will be able to access your secured data if you (or someone you’re providing support for) are unable to authenticate.
1. How to reset a password from the login screen
1. Boot the Mac to the login screen.
2. Click the ? icon to be prompted with performing a reset by using your Recovery Key. Click the arrow button to proceed.
3. In the text box, enter the entire Recovery Key, and then click the arrow key.
4. If successful, the key will unlock the encrypted startup disk and take you back to the login screen.
5. The Reset Password overlay will appear, prompting you to enter and confirm a new password for your user account.
6. Once completed, click the Reset Password button.
Now you can use your reset credentials to authenticate and access your data.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
2. How to use Terminal in Recovery Partition
1. Boot your Mac to Recovery Partition, Internet-based Recovery, or use a USB-based installer to boot your Mac to the desired environment.
2. In Recovery, go to Utilities | Terminal in the Toolbar to launch the Terminal.
3. Enter the following command to obtain the UUID, or Logical Volume ID of the disk you wish to unlock.
diskutil corestorage list
4. Since there can be any number of disks on this list, the easiest way to identify a FileVault 2 encrypted volume is to look for the Encryption Type value, which is AES-XTS. A few lines below this value, you’ll find the UUID. Copy this string for use in the next step.
5. With the UUID, enter the following command to unlock the disk. Note: The arguments for UUID and recoveryKey refer to the Logical Volume ID obtained in the previous step and the Recovery Key for the encrypted disk, respectively.
diskutil corestorage unlockVolume UUID -passphrase recoveryKey
6. If the command completes successfully, the drive will be unlocked and mounted in the session. Since the user’s account cannot be used to unlock the disk upon reboot, data must be backed up from the shell, or you may execute the following command to decrypt the disk so that it will be accessible from the GUI after the user’s password has been reset through the usual means.
diskutil corestorage revert UUID -passphrase recoveryKey
3. How to unlock the master keychain from backup
Note: This method requires a copy of the FileVaultMaster.keychain file (if one was created) in order to recover the encrypted disk. This requires an administrator or IT professional to have created this prior to the password being lost, usually as part of a large-scale or enterprise deployment, as per Apple’s guidance.
1. Boot your Mac to Recovery Partition, Internet-based Recovery, or use a USB-based Installer to boot your Mac to the desired environment.
2. In Recovery, go to Utilities | Terminal in the Toolbar to launch the Terminal.
3. If your FileVaultMaster.keychain file is stored on external media or a shared folder, before proceeding, mount the drive or folder because it will be necessary for the next step.
4. Enter the following command to unlock the FileVault Master keychain.
Security unlock-keychain /Path/to/keychain/file
5. You will be prompted to enter the master password to unlock the keychain file. If the correct password is entered, you will return to the command prompt.
6. Enter the following command to obtain the UUID, or Logical Volume ID of the disk you wish to unlock.
diskutil corestorage list
7. Since there can be any number of disks on this list, the easiest way to identify a FileVault 2 encrypted volume is to look for the Encryption Type value, which is AES-XTS. A few lines below this value, you’ll find the UUID. Copy this string for use in the next step.
8. With the UUID, enter the following command to unlock the disk. Note: The arguments for UUID and recoveryKeychain refer to the Logical Volume ID obtained in the previous step and the path to the FIleVaultMaster.keychain file, respectively.
diskutil corestorage unlockVolume UUID -recoveryKeychain /Path/to/keychain/file
9. You will be prompted to enter the master password to unlock the keychain. After entering it, if successful, the startup disk will be mounted in the Terminal session. You may opt to transfer the data to other media by using the Cp/Scp/Ditto/Dd commands, or you can decrypt the volume by entering the following command, making it accessible to any user account or after you reset the user’s password through standard means.
diskutil corestorage revert UUID -passphrase recoveryKeychain /Path/to/keychain/file
Have you experienced any FileVault encryption nightmares? If so, what steps did you take to resolve the issue? Share your FileVault recovery experiences in the comments.
