man page for diskutil does not include information on how to use a recovery keychain with
| Originator: | rtrouton | ||
| Number: | rdar://16738494 | Date Originated: | 4-27-2014 |
| Status: | Open | Resolved: | |
| Product: | Mac OS X | Product Version: | 10.9.2, Build 13C1021 |
| Classification: | Security | Reproducible: | N/A |
Rich Trouton27-Apr-2014 07:05 PM Summary: While researching how to decrypt Fusion drives from the command line, I noticed that the man page for diskutil does not document that you can use a recovery keychain with the "diskutil cs decryptVolume" command. The command in question would look like this: diskutil cs decryptVolume UUID_goes_here -recoveryKeychain /path/to/keychain_name_goes_here.keychain Steps to Reproduce: 1. Copy the keychain that contains both the public and private key of the institutional recovery key to a drive that you can access from Recovery HD. 2. Boot to Recovery HD. 3. Get the Logical Volume UUID of the encrypted drive by running the following command: diskutil cs list 4. With the UUID information acquired, run the following command to unlock the FileVaultMaster.keychain: security unlock-keychain /path/to/FileVaultMaster.keychain 5. Run the following command to unlock the encrypted Core Storage volume on the encrypted Mac: diskutil cs unlockVolume UUID -recoveryKeychain /path/to/FileVaultMaster.keychain 6. Once the disk has been unlocked, decrypt the encrypted Core Storage volume by running the following command: diskutil cs decryptVolume UUID -recoveryKeychain /path/to/FileVaultMaster.keychain Expected Results: Based on the information on the man page, that command should fail or produce an error. "diskutil cs decryptVolume UUID_goes_here -recoveryKeychain /path/to/keychain_name_goes_here.keychain" is not included as an option according to the man page. The man page states "Specifying -passphrase or -stdinpassphrase or interactively entering a passphrase is mandatory". Actual Results: "diskutil cs decryptVolume UUID_goes_here -recoveryKeychain /path/to/keychain_name_goes_here.keychain" command is accepted. Encrypted Core Storage volume Drive begins decryption. (see attached screenshot - Screen Shot 2014-04-27 at 6.50.06 PM.png) This is actually the desired behavior from my end. There's nothing wrong with the diskutil tool in this regard, but the man page should be updated with information about the correct way to use the "-recoveryKeychain" option with "diskutil cs decryptVolume". Version: DISKUTIL(8) - https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/diskutil.8.html Notes: Discovered this as part of documenting how to decrypt FileVault 2-encrypted Fusion drives. Blog post available here: http://derflounder.wordpress.com/2014/04/27/unlocking-or-decrypting-a-filevault-2-encrypted-fusion-drive-from-the-command-line/
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!