{"id":1703,"date":"2013-08-30T08:55:04","date_gmt":"2013-08-30T08:55:04","guid":{"rendered":"http:\/\/blog.designed79.co.uk\/?p=1703"},"modified":"2013-08-30T08:55:04","modified_gmt":"2013-08-30T08:55:04","slug":"unlock-a-filevault-1-protected-directory-using-command-line","status":"publish","type":"post","link":"https:\/\/blog.designed79.co.uk\/?p=1703","title":{"rendered":"Unlock a Filevault 1 protected directory using command line"},"content":{"rendered":"<p>Unlock a filevault protected directory using command line  : <\/p>\n<p>Here\u2019s how to recover the disk image from the command line. Log in as root, or with an account that has sudo privileges to act as root (Admin accounts by default on OS X have this ability):<\/p>\n<p>[troup:~] gneagle% sudo security unlock-keychain \/Library\/Keychains\/FileVaultMaster.keychain<\/p>\n<p>password to unlock \/Library\/Keychains\/FileVaultMaster.keychain: <\/p>\n<p>[troup:~] gneagle% sudo hdiutil attach \/Users\/someuser\/someuser.sparseimage-owners on -recover \/Library\/Keychains\/FileVaultMaster.keychain <\/p>\n<p>\/dev\/disk1 Apple_partition_scheme <\/p>\n<p>\/dev\/disk1s1 Apple_partition_map <\/p>\n<p>\/dev\/disk1s2 Apple_HFS \/Volumes\/someuser<\/p>\n<p>The \u201ckey\u201d here is that you must unlock the FileVaultMaster keychain before you can use it to unlock the disk image. Once the disk image is mounted, you can then copy the data elsewhere. Here is a step-by-step session where I unlock the image, copy the contents back to the users\u2019 home, and modify theDirectory Services entry so that the account uses the now unencrypted home:<\/p>\n<p>First, lets move the FileVault-encrypted home off to the side:<\/p>\n<p>[troup:~] gneagle% sudo mv \/Users\/someuser \/Users\/.someuser<\/p>\n<p>Now, unlock the FileVaultMaster keychain:<\/p>\n<p>[troup:~] gneagle% sudo security unlock-keychain \/Library\/Keychains\/FileVaultMaster.keychain<\/p>\n<p>password to unlock \/Library\/Keychains\/FileVaultMaster.keychain:<\/p>\n<p>Next, mount the .sparseimage file using the FileVaultMaster keychain instead of the password, and make sure owners\/permissions are on:<\/p>\n<p>[troup:~] gneagle% sudo hdiutil attach \/Users\/.someuser\/someuser.sparseimage -owners on -recover \/Library\/Keychains\/FileVaultMaster.keychain<\/p>\n<p>\/dev\/disk1 Apple_partition_scheme <\/p>\n<p>\/dev\/disk1s1 Apple_partition_map <\/p>\n<p>\/dev\/disk1s2 Apple_HFS \/Volumes\/someuser<\/p>\n<p>Copy the data from the mounted disk to the user\u2019s home directory (this will create a new directory at \/Users\/someuser):<\/p>\n<p>[troup:~] gneagle% sudo ditto \/Volumes\/someuser \/Users\/someuser<\/p>\n<p>Unmount the disk image:<\/p>\n<p>[troup:~] gneagle% sudo hdiutil detach \/Volumes\/someuser<\/p>\n<p>\u201cdisk1\u2033 unmounted.<\/p>\n<p>\u201cdisk1\u2033 ejected.<\/p>\n<p>Modify the account info in Directory Services so that the home no longer points to the.sparseimage:<\/p>\n<p>[troup:~] gneagle% sudo dscl . delete \/Users\/someuser HomeDirectory<\/p>\n<p>The user should now be able to log in and access their (now) unencrypted home directory. The FileVault .sparseimage file is still in \/Users\/.someuser; once we verify everything is okay, we should remove it:<\/p>\n<p>[troup:~] gneagle% sudo rm -R \/Users\/.someuser<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Unlock a filevault protected directory using command line : Here\u2019s how to recover the disk image from the command line. Log in [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1703","post","type-post","status-publish","format-standard","hentry","category-info-on-tech"],"_links":{"self":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/1703","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1703"}],"version-history":[{"count":0,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/1703\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1703"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1703"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1703"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}