How to mount and retrieve data from an Apple Filevault encrypted disk

In our last post, we discussed about Bitlocker encryption, which is native to some Windows operating systems. However, if you’re an Apple owner and have encryption enabled on your system – you’re probably using Filevault version 1 or 2. (There are other Mac encryption applications out there like Sophos SafeGuard, but these tend to have a very small user base)

Filevault was first introduced by Apple in their Panther operating system. This legacy version of Filevault used AES with cipher-block chaining. But, only after only a couple of months on the market – the rumor mill in IT security circles started spinning suggesting that Filevault’s 1 AES-CBC encryption could easily be hacked. Moreover, Filevault 1 was causing Apple users major filesharing headaches and misfiring Time Machine backups.

With the introduction of their Lion operating system (10.7), Apple decided to call time on Filevault 1 and launched Filevault 2. With this version, instead of AES-CBC – they decided to use AES-XTC with an elephant diffuser. This offers users a much more secure encryption system. Apple also ironed out the filesharing and Time Machine glitches.

Even though Filevault 2 offers a much needed improvement. Sometimes, due to a corrupt operating system or corruption in Filevault itself – the disk will have to be slaved and manually mounted via a third party system. This can be performed by a couple of simple Terminal commands using a Mac system.

Last week, we dealt with a very simple recovery. The user, a small charity organisation, had an Filevault encrypted disk. Their operating system crashed. Their IT admin had removed the disk and slaved it to his Mac, the volume was proving invisible to his operating system (Mavericks).

The fix for this problem is simple. While the OS will not be able to see the disk, it usually has to be manually mounted using Terminal commands.

We first used the “disktuil list” command in Terminal. This should list all disks attached to your host system.

mac terminal window 1
In this case, the partition which stored the data was “disk1”. You can use the “diskutil mount disk disk1” to mount the disk. But, occasionally, this will not work and you need to try the “diskutil mountDisk” command (mountdisk being one word this time). This worked. We now got the message “mounted successfully”. The volume now appeared under disk management. When you click on the volume, a Filevault dialog box appears and requests for your passphrase and you should be able to gain access to your data again.

mac terminal window 2

As this quick job was for a small charity, run by a hardworking and passionate organiser – we decided the cost of this job would be gratis.