APFU! APFS Disk Password - macOS 10.13 High Sierra Locked Me out of my Machine!


My High Sierra upgrade experienced worked great on my 2016 15" Macbook Pro work machine, but my personal machine had a distressing journey. It seems that my 2012 non-retina 15" Macbook Pro went to sleep during the upgrade process, which led to an issue that completely locked me out of my disk. Upon booting the computer, I was prompted for a "Disk Password." None of my login passwords worked! I tried the usual trouble shooting issues, to no avail.

Luckily I found this great post from croaker in the Apple Developer forums from July 6, 2017 that worked! Evidently this was an issue in the developer previews that was not fixed in the official High Sierra release.

Here's what you need to do:

  1. Boot into the OS installer/recovery drive.

  2. Open a terminal window. Run diskutil apfs list and find your boot volume

$ diskutil apfs list  
APFS Container (1 found)  
+-- Container disk2 87F8E3F6-28B8-4A98-847A-28C4370E1133  
    APFS Container Reference:    disk2 (Fusion)  
    Capacity Ceiling (Size):      754964643840 B (755.0 GB)  
    Capacity In Use By Volumes:  480886849536 B (480.9 GB) (63.7% used)  
    Capacity Available:          274077794304 B (274.1 GB) (36.3% free)  
    +-< Physical Store disk0s2 A070CF3A-AFA8-4AFF-81E3-E77D75FD4685  
    |  -----------------------------------------------------------  
    |  APFS Physical Store Disk:  disk0s2  
    |  Size:                      255716540416 B (255.7 GB)  
    +-< Physical Store disk1s2 46B2EB23-79BA-43A0-A99F-D50AAC6C66BF  
    |  -----------------------------------------------------------  
    |  APFS Physical Store Disk:  disk1s2  
    |  Size:                      499248103424 B (499.2 GB)  
    +-> Volume disk2s1 6AAC9D56-EC44-38B3-9C50-1D6DA3020377  
    |  ---------------------------------------------------  
    |  APFS Volume Disk (Role):  disk2s1 (No specific role)  
    |  Name:                      Macintosh HD  
    |  Mount Point:              /  
    |  Capacity Consumed:        461711589376 B (461.7 GB)  
    |  Capacity Reserve:          None  
    |  Capacity Quota:            None  
    |  Encrypted:                Yes (Unlocked)  
    +-> Volume disk2s2 FA366E2A-B9CD-4822-AC93-3133635BAFD60  
    |  ---------------------------------------------------  
    |  APFS Volume Disk (Role):  disk2s2 (Preboot)  
    |  Name:                      Preboot  
    |  Mount Point:              Not Mounted  
    |  Capacity Consumed:        18444288 B (18.4 MB)  
    |  Capacity Reserve:          None  
    |  Capacity Quota:            None  
    |  Encrypted:                No  
    +-> Volume disk2s3 0E4E73B-B55D-4DEC-94A1-0A3DD20E73EC  
    |  ---------------------------------------------------  
    |  APFS Volume Disk (Role):  disk2s3 (Recovery)  
    |  Name:                      Recovery  
    |  Mount Point:              Not Mounted  
    |  Capacity Consumed:        518926336 B (518.9 MB)  
    |  Capacity Reserve:          None  
    |  Capacity Quota:            None  
    |  Encrypted:                No  
    +-> Volume disk2s4 38451C7D-33AA-42AE-A951-09CB95D25D2C  
        APFS Volume Disk (Role):  disk2s4 (VM)  
        Name:                      VM  
        Mount Point:              /private/var/vm  
        Capacity Consumed:        9842118656 B (9.8 GB)  
        Capacity Reserve:          None  
        Capacity Quota:            None  
        Encrypted:                No

In this case, the boot volume is disk2s1.

  1. Now run diskutil apfs unlockvolume disk2s1 on your boot volume, replacing disk2s1 for your boot volume. Authenticate with your usual password.

  2. Finally, run diskutil apfs updatePreboot on your now unlocked boot volume. Here's what you'll see:

$ diskutil apfs updatePreboot disk2s1  
Started APFS operation  
UpdatePreboot: Commencing operation to update the Preboot Volume for Target Volume disk2s1 Macintosh HD  
UpdatePreboot: The Target Volume's OpenDirectory (non-special kind) user count is 1 and the Recovery (any of 3 kinds) user count is 2  
UpdatePreboot: No custom Open Directory path given  
UpdatePreboot: Using GivenVolumeMountPointOrNilIfNotMounted as MacOSSearchPath  
UpdatePreboot: Using MacOSSearchPath's child dslocal path as OpenDirectorySearchPath  
UpdatePreboot: MacOS Search Path = (nil=NotMounted) = /  
UpdatePreboot: Open Directory Database Search Path = (nil=MacOSSearchPathNotMounted) = /var/db/dslocal/nodes/Default  
UpdatePreboot: Successfully opened Open Directory database; setting AuthODNodeOrNil accordingly  
UpdatePreboot: Mounting and ensuring as mounted the related Preboot Volume  
UpdatePreboot: Preboot Volume = disk2s2 Preboot  
UpdatePreboot: Preboot Volume Target Directory = /Volumes/Preboot/6AAC9D56-EC44-38B3-9C50-1D6DA3020377  
UpdatePreboot: Considering APFS Crypto User EBC6C064-0000-11AA-AA11-00306543ECAC  
UpdatePreboot: This is the Personal Recovery Key for this Volume  
UpdatePreboot: Treating this APFS Crypto User as a Personal Recovery Key User  
UpdatePreboot: Before rendering EFILoginUserGraphics user resources for type = EFI Login Personal Recovery Key User  
UpdatePreboot: After rendering EFILoginUserGraphics Data=(0=Error)=0x7fb910f24b00=0  
UpdatePreboot: Successfully added a Personal Recovery Key User to the building dictionary  
UpdatePreboot: Successfully processed APFS Volume Crypto User EBC6C064-0000-11AA-AA11-00306543ECAC  
UpdatePreboot: Considering APFS Crypto User 57A79AC6-ED71-4DE5-82BE-6B0ECFC5E2C  
UpdatePreboot: Defaulting and requiring that this be an Open Directory User  
UpdatePreboot: Treating this APFS Crypto User to be, and requiring to match, an Open Directory User  
UpdatePreboot: Correlated APFS Volume Crypto User with Open Directory User 57A79AC6-ED71-4DE5-82BE-6B0ECFC5E2C aka "admin"  
UpdatePreboot: All required data for this Open Directory user has been obtained  
datePreboot: Writing Admin User Info File to path /Volumes/Preboot/6AAC9D56-EC44-38B3-9C50-1D6DA3020377/var/db/AdminUserRecoveryInfo.plist  
UpdatePreboot: Successfully wrote Admin User Info File  
UpdatePreboot: Checking for existence of Secure Access Token file /var/db/dslocal/nodes/Default/secureaccesstoken.plist  
UpdatePreboot: Before copying Secure Access Token file /var/db/dslocal/nodes/Default/secureaccesstoken.plist into directory /Volumes/Preboot/6AAC9D56-EC44-38B3-9C50-1D6DA3020377/var/db  
UpdatePreboot: After copying error=(0=success)=0  
UpdatePreboot: Unmounting Preboot Volume  
UpdatePreboot: Exiting Update Preboot operation with overall error=(0=success)=0  

If it ends with an overall error of 0 then that's it. Reboot and be prepared to wait. It'll take a while, so be patient. Then you should be back in business!