libyal/libfvde

Mounted file system has encrypted files?

simoneeferreira opened this issue · 2 comments

Hi, I am recovering an old mac hard drive and managed to mount the drive successfully. But the files themselves are still encrypted. How do i go about decripting them?

These are the steps i did (using Ubuntu 20.04):

  1. Downloaded, installed and built fvde, using the .deb section on the wiki (https://github.com/libyal/libfvde/wiki/Building#using-debian-package-tools-deb).
  2. Found the EncryptedRoot.plist.wipekey file from recovery
  3. $ sudo fvdemount -v -p <password> -e EncryptedRoot.plist.wipekey /dev/<fvde_drive> /mnt/fuse
  4. Downloaded, compiled and installed hfsfuse (https://github.com/0x09/hfsfuse). As it is on the github page.
  5. $ hfsfuse -o ro --force /dev/<fvde_device> /mnt/file_system

Thanks in advance for any help :D

Do you know which macOS Version created the FileVault?

I have a similar situation with an external disk created on Catalina. I think it's not a problem of the encryption. It looks like the format isn't understood correctly. So the mapping which gets created is somewhat of broken. The file command breaks when you do it on the file. Result is the same with the version in DEbian buster and Git state.

My disk is a encrypted Time Machine disk. fvdeinfo shows basic info. In fact the Git version does it better because of CoreStorage related improvements I think. It mounts witht he normal disk password but the HFS+ can't be mounted in read only mode. There is simply nothing usable provided by the fvde1 mapping file.

Best Regards

Insufficient information in the issue to help, please provide format debug output https://github.com/libyal/libfvde/wiki/Troubleshooting#format-or-behavioral-errors.

Closing issue for now, reopen if more information becomes available.