How to recover data encrypted with Apple's FileVault 2

Apple's FileVault 2 offers whole-disk encryption schemes that protect the contents of your disk from unauthorized access. Here are three ways to regain access to your encrypted drive and recover data.

Apple's FileVault 2: A total disk encryption solution

Data encryption is generally viewed as an important, stop-gap measure that prevents reading the contents of data, especially data that has been accessed without authorization, exfiltrated by internal threat actors, or simply fallen into the wrong hands. And yet, it still amazes me how many recent attacks could have had their impacts lessened if the data being targeted had been encrypted in the first place.

The good news is some organizations have implemented encryption for their users' computers. Businesses that enabled Apple's FileVault 2 on their Mac computers have whole-disk encryption on those devices, and the data is secured with strong encryption standards while at rest. When IT needs to access or recover the data, questions arise, including: How can we access or recover the data? Did IT or the user set up the encryption scheme? And more importantly, what options are available to mitigate this issue and gain access to the protected data?

Learn three ways that FileVault 2-encrypted volumes may be decrypted to gain access to the protected data on the disk.

Note: This article is included in the free PDF download Apple FileVault 2: Tips for IT pros.

1: User account or passphrase method

FileVault 2 encrypts data on the disk entirely (the legacy FileVault encrypted only the user's home folder)--this means that typically a user with administrative privileges on the device is capable of enabling FileVault 2 initially. During this initialization process, FileVault 2 will use this user's password as the passphrase with which to create the key that will be used to encrypt the disk.

This may seem like a horrible idea at first, because what happens if the user is no longer with the organization or does not remember her password? Apple has accounted for this by not explicitly relying on the user's password, but rather using the password to create the key that will encrypt the disk.

FileVault 2 does not look for a specific password to perform the encryption process, just the key. Basically, any user with administrative privileges to that computer can essentially "unlock" the disk--regardless of the ACL permissions configured within the filesystem--as long as each account has been configured by clicking the Enable User button and entering the password that corresponds to that account. This allows either the user account that initially set up FileVault 2, or another whitelisted admin-level account, or even a special service account or IT personnel to regain access to the contents of that disk, and decrypt the data with their account, if necessary.

SEE: Encryption policy (Tech Pro Research)

2: Recovery key method

The recovery key is created during FileVault 2's initialization process. It is a system-generated, 24-character alpha-numeric key that is displayed on-screen to the user one time and only during this phase in the process, which is why the user is urged to write down this key for safekeeping. But the key holds a deeper value: If the account or passphrase (see method #1 above) fails to unlock the disk, the recovery key may be invoked to unlock the disk, providing access to macOS and the decrypted data.

If the recovery key is not documented, recorded improperly, or misplaced, the key will be of little value in recovering the data; this is why it is strongly advised that users safeguard the recovery key at all times. Better still, FileVault 2 may be deployed by IT in a precise, methodical manner that ensures the key is recorded to a centralized location, or key escrow, so that recovering the data is possible, independent of the users that utilize those computers to complete their work.

SEE: 27 ways to reduce insider security threats (free PDF) (TechRepublic)

3: iCloud account method

Similar to the recovery key method, iCloud can play a role in the recovery process of decrypting data from a FileVault 2-enabled disk. During the initialization phase, the user performing the process will be prompted to create a recovery key (as stated previously), but the person will be asked to choose a location to store the key. The user may record the key and store it themselves, or they can allow the key to be stored securely within their iCloud account for future use.

If this option was selected, you will need to enter an incorrect password three times at the login prompt to trigger the message stating you may reset your password with your Apple ID/iCloud. By clicking the arrow key next to this message, you'll be able to enter your Apple ID and password, which keeps a cached copy of your recovery key, thanks to iCloud; this will allow you to gain access to the system, reset the Mac account's password, and decrypt the local disk.

Also see

Has your organization deployed FileVault to protect their Macs? If so, how has the experience been for users and IT stakeholders? We'd love to have you share your thoughts in the comments.

Image: nantonov, Getty Images/iStockphoto

By Jesus Vigo

Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from seve...