Unable to decrypt using diskutil while booted from Recovery HD

Originator:rtrouton
Number:rdar://14099380 Date Originated:6-8-2013
Status:Closed Resolved:6-14-2014
Product:OS X Product Version:OS X 10.8.4 Build 12E55
Classification:Security Reproducible:Always
 
Summary:

It appears that diskutil on Mac OS X 10.8.4's Recovery HD partition no longer can decrypt FileVault 2-encrypted Macs. 

If you boot from a 10.8.4 Recovery HD partition, you can unlock a FileVault 2-encrypted boot drive but you can't decrypt it using diskutil in Termina

Steps to Reproduce:

1. Boot Mac and hold down ⌘-R (Command –R) to boot from the Mac’s Recovery HD partition.

2. Open Terminal.

3. Use "diskutil list" to get the FileVault 2-encrypted volume's UUID.

4. Run any of the following commands:

diskutil cs revert UUID_here -stdinpassphrase

diskutil cs revert UUID_here -passphrase

diskutil corestorage revert UUID_here -recoveryKeychain /path/to/FileVaultMaster.keychain


Expected Results:

Mac should begin decrypting.

Actual Results:

Attempting to decrypt with diskutil with the following commands now results a "The given UUID is not a CoreStorage Logical Volume UUID" error.

Regression:

Went back to 10.8.3's Recovery HD and saw the same behavior.

Notes:

All testing done in VMware running OS X VMs

The fact that decrypting using the institutional keychain does not work is particularly worrying. To the best of my knowledge, the *only* way you can decrypt using the institutional keychain is from Recovery HD or Internet Recovery.

Comments

Bug resolved.

This issue has been verified as resolved and can be closed. See https://derflounder.wordpress.com/2013/06/11/decrypting-filevault-2-on-mac-os-x-10-8-4-unlock-first-then-decrypt/

By rtrouton at Aug. 16, 2015, 8:43 p.m. (reply...)

Blog post

Added blog post with findings: http://derflounder.wordpress.com/2013/06/08/mac-os-x-10-8-4s-recovery-hd-removes-ability-to-decrypt-filevault-2-encrypted-mac/

By rtrouton at June 8, 2013, 3:07 p.m. (reply...)

Now reproduced on physical hardware.

I've now reproduced my results on a 2011 MacBook Pro.

By rtrouton at June 8, 2013, 2:44 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!