-
Notifications
You must be signed in to change notification settings - Fork 34
Mounting
To mount a FileVault Drive Encrypted (FVDE) volume you can use fvdemount.
There is support for the following back-ends:
- Dokan library
- fuse
- OSXFuse
To build fvdemount see Building.
There are different types of FileVault encrypted volumes:
- system volume
- removable media volume
These encrypted volumes are dealt with differently within CoreStorage.
For the system volume you'll first need to obtain the EncryptedRoot.plist.wipekey and pass it to fvdemount. For removable media volumes this is not necessary because the relevant data is stored on the encrypted volume.
The first step in mounting a FileVault encrypted volume is getting the EncryptedRoot.plist.wipekey file from the "Recovery HD" partition
mmls image.raw
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Safety Table
01: ----- 0000000000 0000000039 0000000040 Unallocated
02: Meta 0000000001 0000000001 0000000001 GPT Header
03: Meta 0000000002 0000000033 0000000032 Partition Table
04: 00 0000000040 0000409639 0000409600 EFI System Partition
05: 01 0000409640 0050480751 0050071112 Macintosh HD
06: 02 0050480752 0051750287 0001269536 Recovery HD
07: ----- 0051750288 0234880983 0183130696 Unallocated
08: 03 0234880984 0236715991 0001835008 Macintosh HD 2
09: ----- 0236715992 0236978175 0000262184 Unallocated
fls -r -o 50480752 image.raw | grep -i EncryptedRoot
+++++ r/r 130: EncryptedRoot.plist.wipekey
icat -o 50480752 image.raw 130 > EncryptedRoot.plist.wipekey
If mmls fails to show your partition (perhaps because of a mixed GPT/DOS partition table) try other tools like parted/gparted, obtain the offset for your Recovery HD and Machintosh HD partitions and then use fls/icat with those offsets.
To mount a FVDE volume you can either:
- mount it directly from a device file;
- mount it directly our of a RAW storage media image at a certain offset.
To mount directly from a device file:
fvdemount -e EncryptedRoot.plist.wipekey -r 35AJ-AC98-TI1H-N4M3-HDUQ-UQFG /dev/sda2 /mnt/fuse
To mount directly our of a RAW storage media image at a certain offset:
fvdemount -e EncryptedRoot.plist.wipekey -r 35AJ-AC98-TI1H-N4M3-HDUQ-UQFG -o 524288 image.raw /mnt/fuse
Note that fvdemount takes an offset in bytes if you're copying the output from mmls multiply by the sector size:
fvdemount -e EncryptedRoot.plist.wipekey -r 35AJ-AC98-TI1H-N4M3-HDUQ-UQFG -o $(( 1024 * 512 )) image.raw /mnt/fuse
This will expose a device file that provides the RAW volume data contained in the FVDE volume.
/mnt/fuse/fvde1
If you get the error:
No sub system to mount FVDE.
That means fuse was not detected when building the fvdetools, check if you have fuse-dev installed and if ./configure is able to detect it. The last part of the ./configure output shows you this in an overview.
If your operating system supports loop devices, such as Linux, mount can be used to mount the device file as a loop device:
mount -o loop,ro /mnt/fuse/fvde1 /mnt/file_system
On Mac OS hdiutil can be used to mount the device file:
hdiutil attach -imagekey diskimage-class=CRawDiskImage -nomount /mnt/fuse/fvde1
There are several ways to obtain the volume offset.
- Linux fdisk
- mmls of the SleuthKit
On Linux you can run fdisk with the list option (-l):
sudo fdisk -l /dev/sda
Or directly on a partitioned RAW storage media image file:
fdisk -l image.raw
By default fuse prevents root access to the mount point when a FVDE volume is mounted. To enable this functionality first check the fuse documentation.
Make sure the fuse configuration file:
/etc/fuse.conf
Contains:
user_allow_other
Pass "allow_root" to the fuse sub system using the fvdemount -X option:
fvdemount -X allow_root -e EncryptedRoot.plist.wipekey -r 35AJ-AC98-TI1H-N4M3-HDUQ-UQFG image.raw /mnt/fuse
To mount a FVDE volume on Windows:
fvdemount -e EncryptedRoot.plist.wipekey -r 35AJ-AC98-TI1H-N4M3-HDUQ-UQFG -o 524288 image.raw x:
At the moment the fvdemount keeps a hold on the console.
This will expose a device file that provides the RAW volume data contained in the FVDE volume.
X:\FVDE1
You can unmount /mnt/fuse using umount:
umount /mnt/fuse
Or fusermount:
fusermount -u /mnt/fuse
At the moment terminate the process running in the console.
First of all make sure to check the output of configure. If you're seeing something like the following output configure was unable to detect an usable fuse.
Building:
...
FUSE support: no
On Mac OS X:
- make sure that you only have OSXFuse installed and not another variant, like MacFuse, besides it.
- try adding the C pre processor flags that set the fuse API version, e.g.
CPPFLAGS=-DFUSE_USE_VERSION=26 ./configure
- if all else fails; file a support issue and attach config.log
On Ubuntu:
fusermount – failed to open /etc/fuse.conf – Permission denied
Make sure you're part of the group fuse:
sudo addgroup <username> fuse
If fusermount keeps complaining it cannot open fuse.conf:
sudo chmod o+r /etc/fuse.conf