FileVault – Fix Corrupt Boot Volume After Partition Deletion

bootable-diskdisk-utilityencryptionfilevault

A client has a MacBook Pro Retina with a FileVault2 encrypted boot drive, and the Mac used to dual boot with Linux. Disk Utility apparently showed 4 partitions [Mac HD, Linux, and other 2 small partitions, likely used by Linux as it too was full disk encrypted.

He managed somehow to delete one of the small partitions, and now all disk utility shows are disk0s1, disk0s2, and so on, without even the containing physical drive above in the list.

The os was 12.12.4 [likely, definitely 12.12.x].

This is an image from Recovery > Disk Utility:

      start       size  index  contents
          0          1         PMBR
          1          1         Pri GPT header
          2         32         Pri GPT table
         34          6         
         40     409600      1  GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
     409640  813902408      2  GPT part - FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF
  814312048    1269536      3  GPT part - 48465300-0000-11AA-AA11-00306543ECAC
  815581584       1648
  815583232   80498047      4  GPT part - 0FC63DAF-8483-4772-8E79-3D69D8477DE4
  896081279        641         
  896081920    2244608      5  GPT part - 48465300-0000-11AA-AA11-00306543ECAC
  898326528     262144         
  898588672   78516224      6  GPT part - 0FC63DAF-8483-4772-8E79-3D69D8477DE4
  977104896        131         
  977105027         32         Sec GPT table
  977105059          1         Sec GPT header

Of course he doesn't have a backup. He has the recovery key for FileVault2. Any ideas?

Best Answer

The partition map seems valid and no important small partition has been deleted (maybe one less important EFI or Apple_Boot partition between partition 5 and 6 - the other gaps of unallocated disk space are too small to contain a useful partition e.g. 1648 blocks = ~844 kB).

Partition 2 and 3 of disk0 got the wrong partition type though - the encrypted partition/data shouldn't be lost. Partition 3 has the typical size of a pre-APFS recovery partition (1269536 blocks) and partition 2 probably is the FV2 partition. The proper type of a recovery partition is 426F6F74-0000-11AA-AA11-00306543ECAC and the proper type of a CoreStorage partition (the base of FV2) is 53746F72-6167-11AA-AA11-00306543ECAC (instead of FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF).

Boot to Internet Recovery Mode or another external boot drive and modify the partition types with gpt.

Boot to Internet Recovery Mode
Get the details:
```
diskutil list
```
Below I assume the internal 500 GB SSD has the device identifier disk0
```
gpt -r show disk0
```

Remove partition 2 and 3:

diskutil umountDisk disk0
gpt remove -i 3 disk0
diskutil umountDisk disk0
gpt remove -i 2 disk0

Re-add partition 2 and 3 with proper types:

diskutil umountDisk disk0
gpt add -i 3 -b 814312048 -s 1269536 -t 426F6F74-0000-11AA-AA11-00306543ECAC disk0
diskutil umountDisk disk0
gpt add -i 2 -b 409640 -s 813902408 -t 53746F72-6167-11AA-AA11-00306543ECAC disk0

After adding partition 2 with gpt you will probably be asked to enter a passphrase

If not unlock the FV2 volume with:

diskutil cs list
diskutil cs unlockVolume lvUUID #lvUUID: the UUID of the Logical Volume

Verify disk and volume

diskutil verifyDisk disk0
diskutil list #get the device identifier of the mounted FV volume (probably in the upper tens: disk17 or disk18)
diskutil verifyVolume diskX #with diskX: the device identifier of the mounted FV volume

Best Answer

Related Solutions

MacOS – Unable to unlock disk after enabling FileVault2

MacOS – Presence of a Linux partition causes FileVault2 setup to fail

Related Question