search

libyal / libfvde

Library and tools to access FileVault Drive Encryption (FVDE) encrypted volumes
GNU Lesser General Public License v3.0
339 stars 34 forks source link

EncryptedRoot.plist.wipekey missing on encrypted external device? #35

Closed daedadu closed 2 years ago

daedadu commented 6 years ago

Hi I'm trying to get the EncryptedRoot.plist.wipekey file from an external device and it seems it is missing.

This is what I get:

mmls /dev/disk2
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Safety Table
001:  -------   0000000000   0000000039   0000000040   Unallocated
002:  Meta      0000000001   0000000001   0000000001   GPT Header
003:  Meta      0000000002   0000000033   0000000032   Partition Table
004:  000       0000000040   0000409639   0000409600   EFI System Partition
005:  001       0000409640   0976510983   0976101344   Clon Travel Drive
006:  002       0976510984   0976773127   0000262144   Booter
007:  -------   0976773128   0976773167   0000000040   Unallocated

fls -r -o 0976510984 /dev/disk2| grep -i EncryptedRoot

Executing fls without grep gives me

r/r 3:  $ExtentsFile
r/r 4:  $CatalogFile
r/r 5:  $BadBlockFile
r/r 6:  $AllocationFile
r/r 8:  $AttributesFile
d/d 19: .HFS+ Private Directory Data^
r/r 16: .journal
r/r 17: .journal_info_block
d/d 18: ^^^^HFS+ Private Data

So it seams there is no EncryptedRoot.plist.wipekey on the device. I also wander why the description is not Recovery HD but Booter

Is this something I'm doing wrong or a bug?

Rob--W commented 6 years ago

From https://github.com/libyal/libfvde/wiki/Mounting#mounting-the-system-volume :

For the system volume you'll first need to obtain the EncryptedRoot.plist.wipekey and pass it to fvdemount. For removable media volumes this is not necessary because the relevant data is stored on the encrypted volume.

I think that your image is not a system disk, but an external one.

I also wander why the description is not Recovery HD but Booter

The name is probably not that significant. On Linux, the partition has type "AB00" (i.e. "Apple boot") and name "Booter" (found via gdisk -l /dev/sdX). On macOS, with diskutil I can see that is actually called "Boot OS X" (of the type "Apple_Boot"). When mounted via diskutil, I only see a directory structure that leads to an empty directory (/Volumes/Boot OS X/Backups.backupdb/.RecoverySets/), so don't bother with looking for more.

joachimmetz commented 2 years ago

Looks like question was answered by documentation, closing issue.