search

libyal / libfvde

Library and tools to access FileVault Drive Encryption (FVDE) encrypted volumes
GNU Lesser General Public License v3.0
339 stars 34 forks source link

How to access removable CoreStorage FVDE encrypted disk? #60

Closed emonigma closed 1 year ago

emonigma commented 1 year ago

I would like to use fvde to show the password hint of a backup drive I encrypted. I read the paper "Infiltrate the Vault" from the author and, if I understand correctly, the hint is stored in a Recovery HD volume, next to the main Macintosh HD volume. When I run diskutil list with the encrypted drive connected, I see:

$ diskutil list
...
/dev/disk2 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *240.1 GB   disk2
   1:                        EFI EFI                     209.7 MB   disk2s1
   2:          Apple_CoreStorage Time Machine Encryped   239.7 GB   disk2s2
   3:                 Apple_Boot Boot OS X               134.2 MB   disk2s3

That Recovery HD is present in the startup disk and is absent from the external encrypted backup.

When Disk Utility encrypts a drive with File Vault 2, does it create a recovery volume with the password hint in a similar way to a startup volume, and so could one use fvde to extract it?

joachimmetz commented 1 year ago

libfvde supports CoreStorage not APFS. FileVault is an overloaded term in MacOS. Also see: https://github.com/libyal/libfvde/blob/main/README

emonigma commented 1 year ago

Thank you Joachim for the quick reply. I wonder if there's a confusion: the APFS Volume in the list is not the one I want to access. I want to access the Apple_CoreStorage, with name Time Machine Encrypted in that list. It was formatted with Disk Utility on macOS Yosemite with format Mac OS Extended (Journaled, Encrypted) format. Could you confirm if this encryption is not compatible with libfvde?

joachimmetz commented 1 year ago

Thx for the clarification, yeah that confused me. Also since people have mixed up the 2 more than once in the past.

Yeah check if "Boot OS X" contains EncryptedRoot.plist.wipekey (also see: https://github.com/libyal/libfvde/wiki/Mounting)

Otherwise it is possible that the equivalent plist is stored as part of the metadata. The format is not 100% supported but verbose+debug output should provide insight where format support might be lacking (https://github.com/libyal/libfvde/wiki/Troubleshooting#verbose-and-debug-output)

joachimmetz commented 1 year ago

assuming question was answered, closing issue