David S. writes asks about recovering a FileVault-encrypted drive. He says it was encrypted and then reformatted.
Is it possible to recover any data from this drive since it was previously encrypted with FileVault 2 and the keys were unfortunately wiped? Do you have any recommendations or suggestions how to decrypt the drive and recover the data?
I’ll answer this in reverse order.
FileVault 2 (commonly called just FileVault) can be enabled via the Security & Privacy system preference pane, and uses a boot process that keeps the drive locked until you log in with an account allowed to unlock the drive.
Apple was clever in how this is set up. Instead of having you create an encryption key (or a passphrase that’s cryptographically transformed into the actual key), macOS generates the actual key used. This is then wrapped into a protective envelope that can only be unlocked by users on the system that have been authorized to boot up the computer from a powered-off state (cold start).
The Recovery Disk, a special partition that first appeared with OS X Lion, manages this initial boot up. When you log into a FileVault-enabled account, the Recovery Disk OS takes your account password and uses that to unlock the encryption key that protects the startup volume. It’s loaded into memory to decrypt and encrypt data on the fly. (You can also encrypt other attached drives via the Finder or through the Terminal, but that encryption key is derived from the password you set directly for the drive.)
Apple creates a recovery key for your startup disk that you can use as a last resort, such as forgetting all the passwords for all the authorized accounts, or conceivably if the Recovery Disk partition were damaged or removed. You can opt to store the recovery key in iCloud protected with your iCloud account password. If you don’t store it there, and you can’t find the recovery key nor can you log in through the startup process, the data is truly gone forever. Apple employs a very strong encryption algorithm that stands no chance at being broken in the lifetime of our planet at current estimates, even by an owner who has full rights for everything on the drive.
Now, as for recovering a FileVault-encrypted drive that’s been reformatted so that you could, say, use a recovery key, the odds seem to be me about zero. Disk Drill 3, software Macworld awarded 4 1/2 mice to last October, notes that it only has the potential to recover an encrypted drive if you can mount a partition so that it can scan the file system.
I know this last paragraph might sound like “I told you so,” but you should always have complete backups—preferably two different kinds—of all your data, especially data on encrypted drives that are effectively impossible to recover. The backups should be encrypted, as well, but again using different means. I recommend performing routine incremental local backups cloud-based backups using software and services that allow control of encryption with keys or passphrases you specify.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate. Mac 911 can’t reply to—nor publish an answer to—every question, and we don’t provide direct troubleshooting advice.