Closed emonigma closed 1 year ago
libfvde supports CoreStorage not APFS. FileVault is an overloaded term in MacOS. Also see: https://github.com/libyal/libfvde/blob/main/README
Thank you Joachim for the quick reply. I wonder if there's a confusion: the APFS Volume in the list is not the one I want to access. I want to access the Apple_CoreStorage
, with name Time Machine Encrypted
in that list. It was formatted with Disk Utility
on macOS Yosemite
with format Mac OS Extended (Journaled, Encrypted)
format. Could you confirm if this encryption is not compatible with libfvde
?
Thx for the clarification, yeah that confused me. Also since people have mixed up the 2 more than once in the past.
Yeah check if "Boot OS X" contains EncryptedRoot.plist.wipekey (also see: https://github.com/libyal/libfvde/wiki/Mounting)
Otherwise it is possible that the equivalent plist is stored as part of the metadata. The format is not 100% supported but verbose+debug output should provide insight where format support might be lacking (https://github.com/libyal/libfvde/wiki/Troubleshooting#verbose-and-debug-output)
assuming question was answered, closing issue
I would like to use
fvde
to show the password hint of a backup drive I encrypted. I read the paper "Infiltrate the Vault" from the author and, if I understand correctly, the hint is stored in aRecovery HD
volume, next to the mainMacintosh HD
volume. When I rundiskutil list
with the encrypted drive connected, I see:That
Recovery HD
is present in the startup disk and is absent from the external encrypted backup.When Disk Utility encrypts a drive with File Vault 2, does it create a recovery volume with the password hint in a similar way to a startup volume, and so could one use
fvde
to extract it?