10 Mayıs 2013 Cuma

Unlock or decrypt your FileVault 2-encrypted boot drive from the command line


In addition to using Disk Utility, you can also use the command line to unlock or decrypt a FileVault 2-encrypted drive. In order to make sure it all works, I recommend that you use theRecovery HD partition or the Recovery HD partition cloned onto an external drive. See below the jump for the procedure.
To start with, you will need to identify the Logical Volume UUID of the encrypted drive using the diskutil corestorage list command:

diskutil corestorage list

diskutil_corestorage_list
Running that command will give you a listing of all Core Storage volumes. To help identify what you’re looking for, I’ve highlighted the UUID of the encrypted drive in this example:
Screen Shot 2011-06-25 at 10.54.27 AM
Once you have the UUID, you can then either unlock or unencrypt the encrypted volume using the following commands.
Using the password of an authorized account on the command line
To unlock: diskutil corestorage unlockVolume UUID -stdinpassphrase

Screen Shot 2011-06-25 at 9.16.15 AM
The -stdinpassphrase flag will cause the command to prompt you for the password/passphrase of an account that’s authorized to unlock the encryption.
If successful, the drive will unlock and mount. You should see output similar to that shown below.
Screen Shot 2011-06-25 at 9.16.25 AM
Once you’ve unlocked the disk, you can then revert it back from being an encrypted volume.
To decrypt: diskutil corestorage revert UUID -stdinpassphrase
Screen Shot 2011-06-25 at 11.17.33 AM
You’ll be prompted for the password/passphrase of an account that’s authorized to unlock the encryption. Once provided, decryption of the encrypted volume will begin.
To track its progress, you can use the diskutil corestorage list command. To help identify the decryption status, I’ve highlighted the relevant sections to check in the list.
Screen Shot 2011-06-25 at 11.19.08 AM
Once the drive has been completely decrypted, it will no longer be listed as a CoreStorage volume by diskutil corestorage list. In Disk Utility, it should appear as a normal hard drive.
Using the FileVault 2-generated individual recovery key on the command line
If you don’t have the password of any of the authorized accounts and you are not using an institutional recovery key with FileVaultMaster.keychain, you can use the FileVault 2-generated individual recovery key instead. The commands are mostly the same, but instead of using the -stdinpassphrase flag, you instead use -passphrase and enter the recovery key.
To unlock: diskutil corestorage unlockVolume UUID -passphrase recoverykey

Screen Shot 2011-06-25 at 2.03.35 PM
If successful, the drive will unlock and mount. You should see output similar to that shown below.
Screen Shot 2011-06-25 at 2.05.08 PM
Once you’ve unlocked the drive, you should also be able to unencrypt it using this command:diskutil corestorage revert UUID -passphrase recoverykey

Screen Shot 2011-06-25 at 2.11.34 PM

Using FileVaultMaster.keychain on the command line
At this time, it’s only possible to unlock or decrypt from the command line if you’re using a institutional recovery key that’s been set with FileVaultMaster.keychain. Here’s how you can unlock the encryption using an institutional recovery key with FileVaultMaster.keychain:
1. Copy your FileVaultMaster recovery keychain from the safe place your institution stored it in to a drive that you can access from Recovery HD.
2. Boot to the Recovery HD partition or the Recovery HD partition cloned onto an external drive.
3. Get the Logical Volume UUID of the encrypted drive by running diskutil corestorage list.
4. With the UUID information acquired, run the following command to unlock the FileVaultMaster.keychain:
security unlock-keychain /path/to/FileVaultMaster.keychain

Screen Shot 2011-08-06 at 10.33.55 AM
Once this command is run, you’ll need to enter your institution’s Master Password when prompted. If the password is accepted, you’ll be taken to the next prompt.
5. Run the following command to unlock the encrypted Core Storage volume on the encrypted Mac:
diskutil corestorage unlockVolume UUID -recoveryKeychain /path/to/FileVaultMaster.keychain
Screen Shot 2011-07-10 at 9.40.50 PM
6. You should then see output similar to the following:

Started CoreStorage operation
Logical Volume successfully unlocked
Logical Volume successfully attached as disk4
Logical Volume successfully mounted as /Volumes/Macintosh HD
Core Storage disk: disk4
At this point, with the disk unlocked and mounted, you should be able to recover your data using whatever tools you prefer.
Once you’ve unlocked the disk, you can also then decrypt the encrypted volume by running the following command:
diskutil corestorage revert UUID -recoveryKeychain /path/to/FileVaultMaster.keychain
Screen Shot 2011-07-10 at 9.40.50 PM
Once it’s decrypted, you should have full access to your hard disk’s data.



Hiç yorum yok:

Yorum Gönder