FileVault2: how to use the recovery key when asked for a “Disk Password”

filevaultrecovery

I've got a MacBook Pro protected with FileVault 2 (10.9), and can't remember the password to unlock the disk.

When I boot, it asks for the "Disk Password".

What I have is the recovery key that I printed on paper when I activated FileVault.

How do I use it ?

Entering a wrong password multiple times doesn't prompt for the recovery key, and sometimes a '?' appears but it doesn't do anything.

(I've read http://support.apple.com/kb/ht4790, but it doesn't explain how to use the recovery key.)

picture of boot screen

Best Answer

Use the recovery key to reset the login password

Retrieve the recovery key you copied down when you turned on FileVault disk encryption.
If you cannot find your recovery key, but stored it with Apple, contact Apple Support.
Restart the computer. On the login screen, click on the account to unlock and reset the login password.
In the password field, click on the Question Mark (?)
If you created a password hint, it is displayed.
If you remember your password then enter it now.

If you still need to reset your password, click the bottom line “reset it using your Recovery Key,” and then enter your recovery key.

Alternative method:

Recovery

If a user forgets their password, and a recovery key was installed before FileVault 2 was turned on, you can use the following steps to unlock an encrypted disk. Note: This procedure only works when the computer is started from OS X Recovery.

Restart the client while holding the Command and R keys.
Connect an external drive containing the FileVaultMaster.keychain file with the private key.
From the Utilities menu, select Terminal.
If the keychain containing the private key is stored in an encrypted disk image, use the following command to mount it:

hdiutil attach /path/to/diskImage

Use the following command to unlock the FileVaultMaster.keychain file; be sure to insert the correct path to your keychain file:

security unlock-keychain <path to Keychain File>

For example, on a volume named ThumbDrive:
security unlock-keychain /Volumes/ThumbDrive/FileVaultMaster.keychain
Enter the master password to unlock the keychain. If the password is accepted the command prompt will return.
Use the following command to list the drives and corestorage volumes:

diskutil cs list

Look for the UUID of Logical Volume, usually the last in the list. Select and copy the UUID for the next command step.
Use the following command to unlock the encrypted disk. Be sure to insert the UUID from the previous step, and the correct path to the keychain file:

diskutil cs unlockVolume <UUID> -recoveryKeychain <path to Keychain File>

For example, you'd use this command if there was a UUID of 2F227AED-1398-42F8-804D-882199ABA66B on a volume named ThumbDrive:
diskutil cs unlockVolume 2F227AED-1398-42F8-804D-882199ABA66B -recoveryKeychain /Volumes/ThumbDrive/FileVaultMaster.keychain

Enter the master password to unlock the keychain. The volume will be mounted. You can now back up data using Disk Utility, or by using command line tools such as ditto.

Best Answer

Related Solutions

MacOS – FileVault 2 encrypted drive not accepting unlock password in recovery mode

How to have one password for FileValue 2 (pre-boot password) and another for the user login

Related Question