10.13b2 on an encrypted APFS boot partition?

The release notes say:


Apple File System (APFS)

New Issues

• Encrypted APFS volumes can’t be decrypted. Decryption support will be added in an upcoming beta.


Now I'm running 10.13b1 with an encrypted APFS boot partition and I'm wondering if updating to beta 2 will hose my system. Has anyone updated from beta 1 to 2 running on an encrypted boot partition?

I'm wondering about this too, since I waited for Beta 2 to be released to see if I could perform a clean installation to a drive I'd formatted to APFS (Encrypted) from Disk Utility using the installer copied to a USB flash drive. The partition was successfully converted after Disk Utility prompted me for a password, but when the installation proceeded I was greeted with a black screen upon restarting. So I don't think Beta 2 supports APFS encryption on boot partitions. Can anyone else verify this or have they found a solution? Can I install to an APFS boot partition and then encrypt it later?

You can install macOS 10.13 DP1 into another disk for decrypt your encrypt volume, and wait it decrypted, then you can upgrade to DP2 without any worries.


NOTE: DON'T TRY TO DECRYPT WHEN YOUR ENCRYPT VOLUME IS STARTUP VOLUME, YOU WILL GOT MESSY ON YOUR DISK

This does indeed seem to be a problem. I can no longer boot. As soon as I enter my password, the system crashes. Every time.


How do I unencrypt it? I've installed HighSierra into an external disk. When search, the only thing I found was to use Disk Utility, select the volume, go to the file menu, and select decrypt. But that option is not present,


ideas?

If you boot into recovery mode (hold Cmd-R while booting) you may be able to switch off FileVault from Terminal. See the following link for details: https://derflounder.wordpress.com/2011/11/23/using-the-command-line-to-unlock-or-decrypt-your-filevault-2-encrypted-boot-drive/

From what I gather, if you install on an encrypted drive that's fine but don't try to decrypt that drive yet.

If you install on a decrypted drive that's fine but don't try to encrypt it yet.


Support for encryption and decryption will be added at a later date.


The issue isn't if your drive is encrypted or decrypted, the issue is if you try to change the drive state once 10.13 has been installed on an APFS drive.

As for external drives, I'd stick to keeping all drives in the same state and not trying to operate across one encrypted drive to another decrypted drive or vice-versa, you may be asking for trouble.

Ya, I found the command line. But it won't work, as the drive is not seen as a core storage drive. I mounted it fine, providing the key. But all commands failed with the core storage error. So I reinstall.

This does not seem to be correct.

How so?

Which part don’t you agree with?

OK, overnight auto update (which I don’t remember turning on but hey) has answered this for me: This seems to get you to a point where the last install step does not complete.


I end up with a dialog asking for Wifi credentials and after that it errors out “installing a critical update”. It then offers to try again or shutdown.


Looks like I’ll need to restore from backup.

I managed to avoid a restore from backup by rebooting into recovery mode and reinstalling over the broken install. That seems to have sorted everything out.

I'm having the same issue. For now setting that machine aside to see if the next beta allows decryption. Per Release Notes it seems that you can't decrypt volumes yet. Will come in a future Beta update. I feel like Apple should've disabled the ability to turn on FileVault until decryption was available. That particular computer is completely locked unless I erase and install. I hope my data is still intact.


For what it's worth my system crashed mid encryption. I can unlock the volume using Terminal but when I try to decrypt I get the following message

"Error starting background decryption of APFS volume: The given APFS Volume is already encrypting or decrypting (-69573)"

OK, so I just performed a clean installation of High Sierra Beta 2 from a USB flash drive after having formatted the volume to APFS. Following installation, I then encrypted the same volume (the boot volume) using FireVault, which took several hours. Now, in Disk Utility, the partition is displayed as APFS (Encrypted). Is this correct? Would this be identical to having formatted the volume as APFS (Encrypted) prior to installation (which I can't get to work)?

> … encrypted APFS boot … Has anyone updated from beta 1 to 2 …


Yes.


  1. clean installation of 17A264c to HFS Plus, nonencrypted
  2. converted to APFS
  3. FileVault enabled
  4. a few hours for migration to complete
  5. udpated to 17A291j

FYI - after fooling with this for a couple hours, hung on a grey screen, I came across this new set of commands.

I had an HFS+ volume encrypted with FileVault2. I migrated to 10.13 beta 1 with no issues. The drive converted to APFS (encrypted).

When I attempted to upgrade to beta 2, setup would not complete, but threw no errors.

I was hung at a grey screen with a 90% progress indicator.

I rebooted and attempted a reinstall with the same results.


I then booted back into recovery and started a terminal session.

I was able to run the command: "diskutil apfs list"

to look at my volumes.


Once I determined the Macintosh HD disk structure, I ran "diskutil apfs decryptVolume diskXsX" where X are your disk and volume designations.

It is now decrypting; I will let you all know if it lets me complete the setup.


-Bruce

Hi there!

To decrypt your drive - USE your RECOVERY partition to start decrypting process.

0) BOOT INTO RECOVERY PARTITION (cmd+R when booting) or load into clean system from external drive:

1) open terminal from recovery utilities 

2) FOR APFS DRIVE type:

Code Block
/usr/libexec/apfsd

OR TRY THAT!
Code Block
sudo /usr/libexec/apfsd 


FOR HFS DRIVE:

Code Block
/usr/libexec/corestoraged

OR TRY THAT!
Code Block
sudo /usr/libexec/corestoraged



3) TO RESUME/START decrypt/encrypt SERVICE of your drive:
OPEN NEW terminal's window.

4) TYPE: 
Code Block
diskutil apfs list


see your main drive disk0s0 (for example) and write its UUID

5) TYPE: 
Code Block
diskutil apfs listcryptousers /dev/disk0s0


see your username

6) TYPE: 
Code Block
diskutil apfs decryptVolume /dev/disk0s0 -user uuid_goes_here -passphrase 1234567890


Remember! 
"1234567890" - is your password of user
"uuid_goes_here" - UUID of your drive
"disk0s0" - your drive partition


7) Check your decrypting status:
Code Block
diskutil apfs list


P.S. Decryption will be very long. Even if it's an SSD. Most importantly, check that the decryption percentages are slowly but increasing.

Good luck!
10.13b2 on an encrypted APFS boot partition?
 
 
Q