Can files be recovered from a disk encrypted with FileVault?

2

I formatted a USB stick that had an HFS+ partition encrypted with Apple's FileVault. This seemed like a good idea at the time, but now I would like some of the data back.

The drive was not overwritten with zeros and nothing has touched it since, so most of the data is theoretically still there. And I have the FileVault password.

I've tried scanning it with R-Studio like a normal drive, but no help. It sees several previous partitions (and is even able to recover files from them) but not the most recent one.

Is there any way to recover my data?

Smokey

Posted 2015-11-10T01:59:08.283

Reputation: 21

Answers

1

I'm somewhat familiar with FileVault, but it could have a master passphrase, that could be kept at Apple too (if enabled), so you might have luck with Apple's recovery info. I'm not sure if the recovery info can work with a corrupted image/drive, but it's worth a try.

This detailed helpful-looking page from 2008 Recover/repair a corrupt AES-128 encrypted sparse image has info and some how-to instructions so read that page! It says FileVault uses a header, similar to TrueCrypt & LUKS, where "[t]he Key, the salt, the iv (initialization vector) and other info are stored into the image header, a 4kb block, which is in turn encrypted using 3DES-EDE. Without this data, you're not going to be able to recover your stuff even if you remember the passphrase." I'm not sure if the newer version 2 of FileVault uses the same type of header, or if your drive was using version 1 or 2.

You might be able to still mount it with your key or the master key or a backup header and possibly read some not-overwritten data.

If you overwrote the header & don't have a backup header then you'll probably never access the (remaining not-overwritten) data again, unless you get luck with a brute-force key guess. That's one of the claimed advantages of this system type, you can "permanently" erase all the encrypted data by just erasing the header/key, and don't have to overwrite the actual data.

  • This Apple Support discussion about a corrupted FileVault main drive that refuses to accept a login password or the master password / security key is not encouraging, their only solution was to erase / re-partition the drive and start over.
  • This apple.stackexchange.com question is similar, an external FileVault drive but it was unmounted improperly and was corrupted. There's unfortunately no solution there (just some general "don't write to the drive, make a backup copy and play with it" advice).

  • Another apple.stackexchange.com question has a terminal command you could try (run as root apparently?): 

    diskutil cs unlockVolume XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

    So could try that with your drive's UUID? In their case it replied with this:

    Passphrase:
Started CoreStorage operation
Logical Volume successfully unlocked
Logical Volume successfully attached as disk13
Error: -69842: Couldn't mount disk

    apparently "unlocked" but couldn't mount, though at least it might let you attempt file recovery on "disk13" (or whatever yours says). If "disk13" is the decrypted volume, then you might be able to read partial files from it, point R-Studio at it, make a backup copy to play with (fsck), etc.

Xen2050

Posted 2015-11-10T01:59:08.283

Reputation: 12 097

Asked: 2015-11-10T01:59:08.283

Viewed: 1 409 times

Active: 2015-11-30T03:24:27.517