APFU! APFS Disk Password - macOS 10.13 High Sierra Locked Me out of my Machine!
My High Sierra upgrade experienced worked great on my 2016 15" Macbook Pro work machine, but my personal machine had a distressing journey. It seems that my 2012 non-retina 15" Macbook Pro went to sleep during the upgrade process, which led to an issue that completely locked me out of my disk. Upon booting the computer, I was prompted for a "Disk Password." None of my login passwords worked! I tried the usual trouble shooting issues, to no avail.
Luckily I found this great post from croaker in the Apple Developer forums from July 6, 2017 that worked! Evidently this was an issue in the developer previews that was not fixed in the official High Sierra release.
Here's what you need to do:
-
Boot into the OS installer/recovery drive.
-
Open a terminal window. Run
diskutil apfs list
and find your boot volume
$ diskutil apfs list
APFS Container (1 found)
|
+-- Container disk2 87F8E3F6-28B8-4A98-847A-28C4370E1133
====================================================
APFS Container Reference: disk2 (Fusion)
Capacity Ceiling (Size): 754964643840 B (755.0 GB)
Capacity In Use By Volumes: 480886849536 B (480.9 GB) (63.7% used)
Capacity Available: 274077794304 B (274.1 GB) (36.3% free)
|
+-< Physical Store disk0s2 A070CF3A-AFA8-4AFF-81E3-E77D75FD4685
| -----------------------------------------------------------
| APFS Physical Store Disk: disk0s2
| Size: 255716540416 B (255.7 GB)
|
+-< Physical Store disk1s2 46B2EB23-79BA-43A0-A99F-D50AAC6C66BF
| -----------------------------------------------------------
| APFS Physical Store Disk: disk1s2
| Size: 499248103424 B (499.2 GB)
|
+-> Volume disk2s1 6AAC9D56-EC44-38B3-9C50-1D6DA3020377
| ---------------------------------------------------
| APFS Volume Disk (Role): disk2s1 (No specific role)
| Name: Macintosh HD
| Mount Point: /
| Capacity Consumed: 461711589376 B (461.7 GB)
| Capacity Reserve: None
| Capacity Quota: None
| Encrypted: Yes (Unlocked)
|
+-> Volume disk2s2 FA366E2A-B9CD-4822-AC93-3133635BAFD60
| ---------------------------------------------------
| APFS Volume Disk (Role): disk2s2 (Preboot)
| Name: Preboot
| Mount Point: Not Mounted
| Capacity Consumed: 18444288 B (18.4 MB)
| Capacity Reserve: None
| Capacity Quota: None
| Encrypted: No
|
+-> Volume disk2s3 0E4E73B-B55D-4DEC-94A1-0A3DD20E73EC
| ---------------------------------------------------
| APFS Volume Disk (Role): disk2s3 (Recovery)
| Name: Recovery
| Mount Point: Not Mounted
| Capacity Consumed: 518926336 B (518.9 MB)
| Capacity Reserve: None
| Capacity Quota: None
| Encrypted: No
|
+-> Volume disk2s4 38451C7D-33AA-42AE-A951-09CB95D25D2C
---------------------------------------------------
APFS Volume Disk (Role): disk2s4 (VM)
Name: VM
Mount Point: /private/var/vm
Capacity Consumed: 9842118656 B (9.8 GB)
Capacity Reserve: None
Capacity Quota: None
Encrypted: No
In this case, the boot volume is disk2s1
.
-
Now run
diskutil apfs unlockvolume disk2s1
on your boot volume, replacingdisk2s1
for your boot volume. Authenticate with your usual password. -
Finally, run diskutil apfs updatePreboot on your now unlocked boot volume. Here's what you'll see:
$ diskutil apfs updatePreboot disk2s1
Started APFS operation
UpdatePreboot: Commencing operation to update the Preboot Volume for Target Volume disk2s1 Macintosh HD
UpdatePreboot: The Target Volume's OpenDirectory (non-special kind) user count is 1 and the Recovery (any of 3 kinds) user count is 2
UpdatePreboot: No custom Open Directory path given
UpdatePreboot: Using GivenVolumeMountPointOrNilIfNotMounted as MacOSSearchPath
UpdatePreboot: Using MacOSSearchPath's child dslocal path as OpenDirectorySearchPath
UpdatePreboot: MacOS Search Path = (nil=NotMounted) = /
UpdatePreboot: Open Directory Database Search Path = (nil=MacOSSearchPathNotMounted) = /var/db/dslocal/nodes/Default
UpdatePreboot: Successfully opened Open Directory database; setting AuthODNodeOrNil accordingly
UpdatePreboot: Mounting and ensuring as mounted the related Preboot Volume
UpdatePreboot: Preboot Volume = disk2s2 Preboot
UpdatePreboot: Preboot Volume Target Directory = /Volumes/Preboot/6AAC9D56-EC44-38B3-9C50-1D6DA3020377
UpdatePreboot: Considering APFS Crypto User EBC6C064-0000-11AA-AA11-00306543ECAC
UpdatePreboot: This is the Personal Recovery Key for this Volume
UpdatePreboot: Treating this APFS Crypto User as a Personal Recovery Key User
UpdatePreboot: Before rendering EFILoginUserGraphics user resources for type = EFI Login Personal Recovery Key User
UpdatePreboot: After rendering EFILoginUserGraphics Data=(0=Error)=0x7fb910f24b00=0
UpdatePreboot: Successfully added a Personal Recovery Key User to the building dictionary
UpdatePreboot: Successfully processed APFS Volume Crypto User EBC6C064-0000-11AA-AA11-00306543ECAC
...
UpdatePreboot: Considering APFS Crypto User 57A79AC6-ED71-4DE5-82BE-6B0ECFC5E2C
UpdatePreboot: Defaulting and requiring that this be an Open Directory User
UpdatePreboot: Treating this APFS Crypto User to be, and requiring to match, an Open Directory User
UpdatePreboot: Correlated APFS Volume Crypto User with Open Directory User 57A79AC6-ED71-4DE5-82BE-6B0ECFC5E2C aka "admin"
UpdatePreboot: All required data for this Open Directory user has been obtained
...
datePreboot: Writing Admin User Info File to path /Volumes/Preboot/6AAC9D56-EC44-38B3-9C50-1D6DA3020377/var/db/AdminUserRecoveryInfo.plist
UpdatePreboot: Successfully wrote Admin User Info File
UpdatePreboot: Checking for existence of Secure Access Token file /var/db/dslocal/nodes/Default/secureaccesstoken.plist
UpdatePreboot: Before copying Secure Access Token file /var/db/dslocal/nodes/Default/secureaccesstoken.plist into directory /Volumes/Preboot/6AAC9D56-EC44-38B3-9C50-1D6DA3020377/var/db
UpdatePreboot: After copying error=(0=success)=0
UpdatePreboot: Unmounting Preboot Volume
UpdatePreboot: Exiting Update Preboot operation with overall error=(0=success)=0
If it ends with an overall error of 0 then that's it. Reboot and be prepared to wait. It'll take a while, so be patient. Then you should be back in business!