How to access removable CoreStorage FVDE encrypted disk?

Question

How to access removable CoreStorage FVDE encrypted disk?

Closed this issue 2 years ago · 4 comments

I would like to use fvde to show the password hint of a backup drive I encrypted. I read the paper "Infiltrate the Vault" from the author and, if I understand correctly, the hint is stored in a Recovery HD volume, next to the main Macintosh HD volume. When I run diskutil list with the encrypted drive connected, I see:

$ diskutil list
...
/dev/disk2 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *240.1 GB   disk2
   1:                        EFI EFI                     209.7 MB   disk2s1
   2:          Apple_CoreStorage Time Machine Encryped   239.7 GB   disk2s2
   3:                 Apple_Boot Boot OS X               134.2 MB   disk2s3

That Recovery HD is present in the startup disk and is absent from the external encrypted backup.

When Disk Utility encrypts a drive with File Vault 2, does it create a recovery volume with the password hint in a similar way to a startup volume, and so could one use fvde to extract it?

Answer 1 · 2022-11-15T05:03:54.000Z

libfvde supports CoreStorage not APFS. FileVault is an overloaded term in MacOS. Also see: https://github.com/libyal/libfvde/blob/main/README

Answer 2 · 2022-11-15T08:44:59.000Z

Thank you Joachim for the quick reply. I wonder if there's a confusion: the APFS Volume in the list is not the one I want to access. I want to access the Apple_CoreStorage, with name Time Machine Encrypted in that list. It was formatted with Disk Utility on macOS Yosemite with format Mac OS Extended (Journaled, Encrypted) format. Could you confirm if this encryption is not compatible with libfvde?

Answer 3 · 2022-11-15T16:41:18.000Z

Thx for the clarification, yeah that confused me. Also since people have mixed up the 2 more than once in the past.

Yeah check if "Boot OS X" contains EncryptedRoot.plist.wipekey (also see: https://github.com/libyal/libfvde/wiki/Mounting)

Otherwise it is possible that the equivalent plist is stored as part of the metadata. The format is not 100% supported but verbose+debug output should provide insight where format support might be lacking (https://github.com/libyal/libfvde/wiki/Troubleshooting#verbose-and-debug-output)

Answer 4 · 2022-11-19T03:21:53.000Z

assuming question was answered, closing issue