10.7.4 FileVault RecoveryKeychain issues

Posted 5/31/12 at 2:34 PM by cyphon

Following the instructions in "administering file vault 2 with casper suite", I created a package to assign a recovery key to our imaged workstations. After imaging my test box I activated the encryption manually and was presented with the message stating that the key had been assigned and merrily encrypted the drive.

Before making this production I decided to unlock/decrypt the drive by booting from a USB drive with our imaging image and using the FileVaultMaster.keychain (the one with the private key intact). Unfortunately this is what I receive:

CasperIMG:users root# security unlock-keychain /Key/FileVaultMaster.keychain
password to unlock /Key/FileVaultMaster.keychain:
CasperIMG:users root# diskutil cs list
CoreStorage logical volume groups (1 found)
+-- Logical Volume Group 0896F511-CDA6-4838-B9D1-83C4F71400A5
Name: Macintosh HD
Sequence: 1
Free Space: 0 B (0 B)
+-< Physical Volume 6230B252-3CA1-402E-923C-0B3DF7EA949F
| ----------------------------------------------------
| Index: 0
| Disk: disk0s2
| Status: Online
| Size: 318913785856 B (318.9 GB)
+-> Logical Volume Family CEF36BD0-5CE1-4889-90F3-EDCA3D5BC64A
Sequence: 12
Encryption Status: Locked
Encryption Type: AES-XTS
Encryption Context: Present
Conversion Status: Complete
Has Encrypted Extents: Yes
Conversion Direction: -none-
+-> Logical Volume DB674091-7629-450B-BE63-27C21648978D
Disk: -none-
Status: Locked
Sequence: 4
Size (Total): 318595014656 B (318.6 GB)
Size (Converted): -none-
Revertible: Yes (unlock and decryption required)
LV Name: Macintosh HD
Content Hint: Apple_HFS
CasperIMG:users root# diskutil cs unlockVolume DB674091-7629-450B-BE63-27C21648978D -recoveryKeychain /Key/FileVaultMaster.keychain
Started CoreStorage operation
Error: -69749: Unable to unlock the Core Storage volume
CasperIMG:users root#

I know for a fact the FileVaultMaster.keychain has the private key. Ideas?



Posted 5/31/12 at 2:40 PM by jarednichols
Solved Solved

You need to boot from a Recovery partition to unlock or decrypt with the master recovery keychain. You can either boot from the internal drive's Recovery partition or one on an external disk that has Lion installed (and thus also has a Recovery partition). You can also boot to a USB stick specifically created for Recovery duties with Apple's recovery disk creation tool. (

Posted 5/31/12 at 3:21 PM by cyphon

Thanks fellas, booting from the recovery partition worked perfectly. I completely overlooked that part. Thanks again!

Posted 6/1/12 at 7:11 AM by jarednichols

One thing I did was created that recovery disk with Apple's tool. Then I converted the BaseSystem.dmg into a read/write disk image and then placed my recovery keychain on the disk. Converted it back to a compressed image and put it back on the recovery disk. This way, my recovery disk has all the tools needed to unlock or decrypt an encrypted disk. (You still need the password for the keychain, however)