Unlock a filevault protected directory using command line :
Here’s how to recover the disk image from the command line. Log in as root, or with an account that has sudo privileges to act as root (Admin accounts by default on OS X have this ability):
[troup:~] gneagle% sudo security unlock-keychain /Library/Keychains/FileVaultMaster.keychain
password to unlock /Library/Keychains/FileVaultMaster.keychain:
[troup:~] gneagle% sudo hdiutil attach /Users/someuser/someuser.sparseimage-owners on -recover /Library/Keychains/FileVaultMaster.keychain
/dev/disk1 Apple_partition_scheme
/dev/disk1s1 Apple_partition_map
/dev/disk1s2 Apple_HFS /Volumes/someuser
The “key” here is that you must unlock the FileVaultMaster keychain before you can use it to unlock the disk image. Once the disk image is mounted, you can then copy the data elsewhere. Here is a step-by-step session where I unlock the image, copy the contents back to the users’ home, and modify theDirectory Services entry so that the account uses the now unencrypted home:
First, lets move the FileVault-encrypted home off to the side:
[troup:~] gneagle% sudo mv /Users/someuser /Users/.someuser
Now, unlock the FileVaultMaster keychain:
[troup:~] gneagle% sudo security unlock-keychain /Library/Keychains/FileVaultMaster.keychain
password to unlock /Library/Keychains/FileVaultMaster.keychain:
Next, mount the .sparseimage file using the FileVaultMaster keychain instead of the password, and make sure owners/permissions are on:
[troup:~] gneagle% sudo hdiutil attach /Users/.someuser/someuser.sparseimage -owners on -recover /Library/Keychains/FileVaultMaster.keychain
/dev/disk1 Apple_partition_scheme
/dev/disk1s1 Apple_partition_map
/dev/disk1s2 Apple_HFS /Volumes/someuser
Copy the data from the mounted disk to the user’s home directory (this will create a new directory at /Users/someuser):
[troup:~] gneagle% sudo ditto /Volumes/someuser /Users/someuser
Unmount the disk image:
[troup:~] gneagle% sudo hdiutil detach /Volumes/someuser
“disk1″ unmounted.
“disk1″ ejected.
Modify the account info in Directory Services so that the home no longer points to the.sparseimage:
[troup:~] gneagle% sudo dscl . delete /Users/someuser HomeDirectory
The user should now be able to log in and access their (now) unencrypted home directory. The FileVault .sparseimage file is still in /Users/.someuser; once we verify everything is okay, we should remove it:
[troup:~] gneagle% sudo rm -R /Users/.someuser