Verify Your Password/Passphrase for Your APFS Volumes

2023-08-05 06:26:18Z

The scenario: You want to make sure you know the password/passphrase to your (time machine) drive. Except it is automatically mounted and unlocked. So how do you get the password prompt?

The answer: With great difficulty. Actually no, with the command line.

diskutil is a macOS command line program. It's for managing disks.

There's a list command, which can list drives:

> diskutil list
[...]
/dev/disk5 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *2.0 TB     disk5
   1:                        EFI EFI                     209.7 MB   disk5s1
   2:                 Apple_APFS Container disk6         2.0 TB     disk5s2
                    (free space)                         189.1 MB   -

/dev/disk6 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +2.0 TB     disk6
                                 Physical Store disk5s2
   1:                APFS Volume Jackson                 2.0 TB     disk6s1

/dev/disk7 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *4.0 TB     disk7
   1:                        EFI EFI                     209.7 MB   disk7s1
   2:                 Apple_APFS Container disk8         4.0 TB     disk7s2

/dev/disk8 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +4.0 TB     disk8
                                 Physical Store disk7s2
   1:                APFS Volume BACKUP2                 3.4 TB     disk8s2

/dev/disk9 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *4.0 TB     disk9
   1:                        EFI EFI                     209.7 MB   disk9s1
   2:                 Apple_APFS Container disk10        4.0 TB     disk9s2

/dev/disk10 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +4.0 TB     disk10
                                 Physical Store disk9s2
   1:                APFS Volume BACKUP1                 3.3 TB     disk10s2

Oh yeah, and it includes the containers and the volumes.

diskutil also has an APFS subcommand:

> diskutil apfs
Usage:  diskutil [quiet] ap[fs]  
        where  is as follows:

     list                (Show status of all current APFS Containers)
     listUsers           (List cryptographic users/keys of an APFS Volume)
     listSnapshots       (List APFS Snapshots in a mounted APFS Volume)
     listVolumeGroups    (List all current APFS Volume Group relationships)
     convert             (Nondestructively convert from HFS to APFS)
     create              (Create a new APFS Container with one APFS Volume)
     createContainer     (Create a new empty APFS Container)
     deleteContainer     (Delete an APFS Container and free or reformat disks)
     resizeContainer     (Resize an APFS Container and its disk space usage)
     addVolume           (Export a new APFS Volume from an APFS Container)
     deleteVolume        (Remove an APFS Volume from its APFS Container)
     deleteVolumeGroup   (Remove grouped APFS Volumes from its APFS Container)
     eraseVolume         (Erase contents of, but keep, an APFS Volume)
     changeVolumeRole    (Change the Role metadata flags of an APFS Volume)
     unlockVolume        (Unlock an encrypted APFS Volume which is locked)
     lockVolume          (Lock an encrypted APFS Volume (diskutil unmount))
     changePassphrase    (Change the passphrase of a cryptographic user)
     setPassphraseHint   (Set or clear passphrase hint of a cryptographic user)
     encryptVolume       (Enable FileVault security in background or instantly)
     decryptVolume       (Disable FileVault security in background or instantly)
     deleteSnapshot      (Remove an APFS Snapshot from an APFS Volume)
     defragment          (Arm or check status or begin APFS defragmentation)
     updatePreboot       (Update a macOS Volume's related APFS Preboot Volume)
     syncPatchUsers      (Copy Volume Group crypto users System-to-Data role)

diskutil apfs  with no options will provide help on that verb

Notice there's a lockVolume and unlockVolume command. Those can be used to lock and unlock the APFS volumes.

So, first, locking the volume.

We need the disk identifier. List your disks with diskutil list:

> diskutil list
[...]
/dev/disk9 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *4.0 TB     disk9
   1:                        EFI EFI                     209.7 MB   disk9s1
   2:                 Apple_APFS Container disk10        4.0 TB     disk9s2

/dev/disk10 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +4.0 TB     disk10
                                 Physical Store disk9s2
   1:                APFS Volume BACKUP1                 3.3 TB     disk10s2

Find the volume name, then find the line with the "type" being "APFS Volume". In my case, my disk identifier is disk10s2.

Now you can lock the APFS volume (which will also unmount it):

> diskutil apfs lockVolume disk10s2
APFS Volume is now unmounted and locked

Then, unlock it by repeating the last command and replacing the lockVolume with unlockVolume:

> diskutil apfs unlockVolume disk10s2
Passphrase:
Unlocking any cryptographic user on APFS Volume disk10s2
Unlocked and mounted APFS Volume

It'll ask you for your passphrase/password. Get it right, it unlock and mounts. Get it wrong, try again. Get it wrong forever, you data is probably gone for good already.

=> public inbox (comments and discussions) | public inbox archives | (mailing list etiquette for public inbox)

Proxy Information
Original URL
gemini://jacksonchen666.com/posts/2023-08-05/08-26-18/index.gmi
Status Code
Success (20)
Meta
text/gemini;lang=en
Capsule Response Time
131.161069 milliseconds
Gemini-to-HTML Time
0.826798 milliseconds

This content has been proxied by September (ba2dc).