Open neptunix opened 5 years ago
Are you sure that Filevault2 is activated?
There's no FileVault2. It's a standalone encrypted apfs partition on an external drive.
Disregard my latest remark. I didn't correctly read your first post.
I assume that you gave the output from a Linux host? Can you describe what command you used in order to attach your device? (I am trying to reproduce.)
@Banaanhangwagen yep, it's a linux host.
to attach your device
Can you please elaborate? I don't get it. As long as it's an external drive, I just connected it to the linux host (it appears as /dev/sdc2)
ow, I thought you were working with an image and looped it
Either way, I cannot reproduce your problem. Do you have knowledge of the pwd ?
@Banaanhangwagen yep, I do know the password. But I can't apply it (at least on a mac). I may create an image from the partition (that's 256Gb - but should probably gzip well) and send it to you but only if you have time to play with it :)
@Banaanhangwagen I converted the partition to a dmg volume. Here's what I have:
root@d1d1c51b9d61:/recover# /app/build/apfsutil recover.dmg
Found partitions:
C12A7328-F81F-11D2-4BBA-00A0C93EC93B 3843C38E-2853-4727-8596-CB29D09BAEE7 0000000000000028 0000000000064027 0000000000000000 EFI System Partition
7C3457EF-0000-11AA-11AA-00306543ECAC 8C00C106-12CD-4CF8-D1BA-A73B05D2DA1C 0000000000064028 000000001DCF328E 0000000000000000
First APFS partition is 1
Volume 0 7C7E5DC8-9491-4D96-A16A-4B273C063848
---------------------------------------------
Role: Recovery
Name: Plextor (Case-sensitive)
Capacity Consumed: 103752237056 Bytes
FileVault: Yes
# /app/build/apfs-dump-quick recover.dmg log.txt
Info: Found valid GPT partition table on main device. Dumping first APFS partition.
starting LoadKeybag
all blocks verified
starting LoadKeybag
Volume Plextor is encrypted.
starting LoadKeybag
starting LoadKeybag
Wrong password!
Are you able to attach you dmg to a macOS? hdiutil attach –nomount /path/to/recover.dmg
What does diskutil ap list
say then ?
Are you able to unlock the attached dmg? diskutil ap unlockVolume <Disk GUID>
Finally, are you able to extract an APFS-hash with https://github.com/Banaanhangwagen/apfs2hashcat?
yep, I can
+-- Container disk8 0868BB17-EC01-44BA-B7B5-D2A87AF4061E
====================================================
APFS Container Reference: disk8
Size (Capacity Ceiling): 255850758144 B (255.9 GB)
Capacity In Use By Volumes: 103890497536 B (103.9 GB) (40.6% used)
Capacity Not Allocated: 151960260608 B (152.0 GB) (59.4% free)
|
+-< Physical Store disk6s2 8C00C106-12CD-4CF8-BAD1-A73B05D2DA1C
| -----------------------------------------------------------
| APFS Physical Store Disk: disk6s2
| Size: 255850761728 B (255.9 GB)
|
+-> Volume disk8s1 7C7E5DC8-9491-4D96-A16A-4B273C063848
---------------------------------------------------
APFS Volume Disk (Role): disk8s1 (Recovery)
Name: Plextor (Case-sensitive)
Mount Point: Not Mounted
Capacity Consumed: 103752237056 B (103.8 GB)
FileVault: Yes (Locked)
nepbook:LaCie neptune$ diskutil ap unlockVolume 7C7E5DC8-9491-4D96-A16A-4B273C063848
Passphrase:
Unlocking any cryptographic user on APFS Volume disk8s1
Passphrase incorrect or user does not exist
nepbook:LaCie neptune$ diskutil apfs listCryptoUsers 7C7E5DC8-9491-4D96-A16A-4B273C063848
No cryptographic users for disk8s1
apfs2hashcat gives this:
Info: Found valid GPT partition table on main device. Dumping first APFS partition.
starting LoadKeybag
all blocks verified
starting LoadKeybag
Volume Plextor is encrypted.
starting LoadKeybag
starting LoadKeybag
Wrong password!
Looks like the hashes table got broken somehow in the partition, or something like that.
There is also a debug flag that will dump keys (both encrypted and decrypted) when mounting a volume. I don't know what the problem is in your case, though. The volume keybag would be at the position referenced by key 0 in the container keybag.
Hi. Were you able to recover data from that drive? It seems that I have the exact same problem with my external ssd formatted to APFS (encrypted). Unable to mount it, and there seems to be no 'Disk User', so I cannot decrypt the drive. Were you able to find a solution to it? Thanks !
Hi @mihirgaikwad94.
No, I was unable to recover it. I ended up storing it as a dmg image with a hope that I will be able to recover it one day
There is also a debug flag that will dump keys (both encrypted and decrypted) when mounting a volume.
@sgan81 thanks, sorry, I have not seen your comment. So it's -d 16
as I read the docs.
I will need to find my image and try that as well. Thanks
@neptunix Thank you for the reply. Just to clarify, I should use disk utility and created a dmg of the container right?
@mihirgaikwad94 I don't think you really need to do that (it's not a solution). I just converted that to a dmg in order not to keep the data on the external drive and have a copy of the disk stored in the cloud.
@neptunix I understand. So, I want to keep a copy of the SSD on my computer and send the corrupt SSD to a professional data recovery company. The data on that SSD is quite important to me. Meanwhile, I want to make a clone of the SSD using the dmg to try some data recovery on my own if that works. Do you think it'd be possible for some professional data recovery companies to fix this issue?
I've got a faulty drive that has no cryptousers available (according to macOS). Probably it happened due to a disk power failure (maybe some data got lost and mac os can not find cryptousers).
Are there any ways to check if cryptousers data (containing disk encryption keys) is recoverable?
Linux behavior is similar to macOS: :(