Decrypting a Filevault 2 drive

GeorgeCasper
New Contributor III

Hello!

We're in a bit of a pickle here! We encrypted a user's drive with FileVault 2 and an institutional key several years ago. I believe the user was originally running 10.7 or 10.8 when we gave him the machine; at some point he upgraded to Yosemite. We'd now like to migrate the user's data to a new machine.

Our normal practice is to have an account on all of our machines that would be able to decrypt the drive; but this particular machine doesn't have it. Failing that, I booted the machine to the Recovery Partition, stuck in a USB drive with the Filevault.master keychain, opened up a terminal, and attempted to decrypt the drive. Unfortunately, when I try to unlock it, I keep seeing:

Error: -69749: Unable to unlock the Core Storage volume

Did the upgrade to Yosemite break something vis a vis the Recovery Partition? In the meantime I've asked the user to contact us with the password, but I'm wondering if anyone else has seen this.

5 REPLIES 5

mm2270
Legendary Contributor III

I'm not sure specifically why you'd be seeing that error, but you may want to poke around on Rich Trouton's (@rtrouton) blog to see if he has anything posted about this. https://derflounder.wordpress.com/category/filevault-2/
He's pretty much an authority on FileVault 2 related topics.

sanaumann
New Contributor III

Are you just trying to wipe the machine or recover data from the encrypted drive?

Here is some info on simply erasing the volume.
https://derflounder.wordpress.com/2013/06/29/erasing-a-filevault-2-encrypted-volume/

Yosemite creates that CoreStorage volume, so yes, that's why it's there. Boo. You can convert it back to HFS if 1) it's not encrypted or 2) you have the key to decrypt it. ;)

rtrouton
Release Candidate Programs Tester

@GeorgeCasper ,

I've seen that error when using a keychain that has only the institutional recovery key's public key inside. When using a keychain to unlock a FileVault 2-encrypted drive, the keychain needs to have both the institutional recovery key's public and private keys inside.

I have a post on institutional keys and how they work available from here:

https://derflounder.wordpress.com/2014/08/13/filevault-2-institutional-recovery-keys-creation-deploy... (see the Using FileVaultMaster.keychain to recover your data section.)

kwvarga
New Contributor

I've got a similar issue with a few machines, did you ever get a resolution @GeorgeCasper ?

@rtrouton - I've verified that the Private Key is inside my keychain, and I'm able to unlock other machines with the same command (just different core storage volume ids) fine.

GeorgeCasper
New Contributor III

@kwvarga

We ended up having the user work with us to manually move their data off the machine, and then just wiped it.