Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Some possible fixes if FileVault goes awry System
I haven't really heard of anyone having major difficulties with FileVault since Apple fixed the original bugs, but I just had a customer who had some serious problems. This all happened under OS 10.3.8, so none of the previous FileVault or sparseimage issues should apply in this case. It may have just been a freak occurrence, but I wanted to share the story and tips in case anyone else ever encounters a similar problem with FileVault or encrypted disc images in general. The names have been changed to protect me from the litigious :)

My client originally complained that he'd get a kernel panic (KP) when logging into his main account on his machine, but he could log in fine to a secondary account -- although he couldn't see the contents of his main home folder from there. At first I thought, "Ok, he's got a bad startup item and can't see the contents of the other folder due to not having permission." The machine still KP'd even when booting in safe mode, so I booted to single user mode and discovered his main account's home folder was actually empty except for a .autodiskmount file. Since a startup item wasn't to blame and the home folder wasn't being populated with items from the default user template, I figured he was using FileVault and his home sparseimage had been deleted. Turned out his original home folder had somehow been renamed to .shortusername, rendering it invisible and a new one had been created which only had root permissions ... and his sparseimage was safely tucked inside his original home folder (phew).

Read the rest to see how I managed to recover the sparseimage. Note that none of the following involves circumventing FileVault: though not specifically detailed, the encryption password was requested and provided at the appropriate times during the recovery process.

Easy fix? Well, after getting rid of the new folder and removing the period from his old home, the machine would still KP right after logging into the main account. Logged into the secondary account and tried to mount the sparseimage manually and got a message from the DiskImageHelper application that there were no mountable file systems in the image. Not sure why it didn't just KP when logged into this account, but that seems to be beside the point. Now the fun begins.

I booted to my FireWire diag HD and when trying to mount the disk image there, the machine would KP as soon as I entered his password. I tried mounting the image via the hdiutil attach imagename command which, at least, gracefully failed instead of causing the machine to arf. I even tried using Mount, a neat old utility made by Scott Houchin, but no luck. Since hdiutil attach failed without actually killing the kernel, I decided to try running hdiutil convert shortusername.sparseimage -format UDRW -o shortusername.dmg to see if that would produce a mountable image. The conversion actually finished without error, but the directory on his orginal 6GB sparseimage was damaged such that the conversion process produced a 26GB image! Worse yet, the resulting image would also KP the machine when double-clicked. Now that encryption (hopefully) was not an obstacle any more, I thought my only option was going to be to drag the dmg onto File Juicer (a fantastic little app) and scrounge out what images, movies and text documents I could.

However, I decided to see what Disk Utiliy could do first -- since it's the only directory repair utility I know of that will operate directly on images before they're mounted -- so I dragged the image to the drive list container. A Verify showed severe damage to the directory inside the image, and a Repair tried to mount the image which again KP'd the machine. Just to see what would happen, I created a new blank sparseimage and then used the Restore function in Disk Utility to try to copy from the damaged image to the new image. This actually worked up to a point: the process died with an error partway through copying the user's Documents folder although what was copied appeared to be free of corruption. This was encouraging.

I noticed that when running the Verify in First Aid, a greyed-out hard drive icon would briefly appear under the disc image icon in the drive list and then disappear. After a short bit of experimenting, I discovered that if I hit the Verify button and then immediately hit Stop Verify, the process would stymie and leave the greyed-out disc icon under the image. This is important: this greyed-out icon represents the image's volume in some sort of half-mounted state. So I ran DiskWarrior, and the volume showed up in the list of available volumes to rebuild! Unfortunately, DiskWarrior found over 12,000 crosslinked files and was taking forever to finish the directory scan. From experience I've found that DiskWarrior usually has problems fixing volumes with more than a couple crosslinked files, so I stopped that.

Next I tried Data Rescue, and that appeared to be thoroughly successful -- I got the entire folder structure of the original home folder and with a random sampling, the files appear to be intact.

So to summarize:
  1. If you have an encrypted image which won't mount or causes a KP after entering the password key, the first thing to try (if Disk Utility won't repair it) is to get it into an unencrypted state by launching Terminal and typing hdutil convert sourceimage.type -format UDRW -o targetimage.dmg. If the converted image still won't mount, this will at least allow utilities like File Juicer or PhotoRescue to work on it. (If anyone knows of other repair or recovery utilities that will work directly on disc images without mounting them, please share.)
  2. If you need more than image or text files recovered, try creating a new image -- either with DiskUtility or with hdiutil create -type SPARSE -size 50g -fs HFS+ growableimage, and then use the Restore tab in Disk Utility to try to copy the contents from the damaged image to the new one. Note: you have to mount the new image so you can drag the disc icon to the Destination field).
  3. If no other utilities work, then try selecting the damaged disc image in Disk Utility, select the First Aid tab, then try hitting the Verify button and immediately hitt the Stop Verify button, and see if you can get that ghost volume to stick. Then possibly Disk Warrior or other recovery utilities can save the day.
Sorry for the long-winded post -- hopefully this will help anyone who finds themselves in a world-o-hurt with an encrypted disc image that won't mount.
    •    
  • Currently 2.29 / 5
  You rated: 1 / 5 (7 votes cast)
 
[32,816 views]  

Some possible fixes if FileVault goes awry | 16 comments | Create New Account
Click here to return to the 'Some possible fixes if FileVault goes awry' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Some possible fixes if FileVault goes awry
Authored by: Kool on Mar 29, '05 11:45:54AM

Incorrect information in this hint. To my knowledge, a FileVault protected home folder is indeed stored in a folder preceded with a dot (/Users/.username). This is however intended behaviour. This is, I think, to avoid name conflicts with the sparseimage being mounted at /Users/username.



[ Reply to This | # ]
Some possible fixes if FileVault goes awry
Authored by: mike666 on Mar 29, '05 12:18:57PM

This may have been standard behavior at some point but I believe it's been changed - in the course of troubleshooting I enabled FileVault for a test account on my machine to verify where everything was supposed to live (haven't played with FileVault much since the original problems with it) and it simply created the sparseimage directly in the user's home folder. This may have been part of the 10.3.2 & 10.3.3 fixes.



[ Reply to This | # ]
Some possible fixes if FileVault goes awry
Authored by: Safar on Mar 30, '05 01:19:53AM

when the filevault protected user is logged in, the sparseimage is renamed to .shortusername.sparseimage
when the filevault protected user loggs out, the sparseimage is renamed to shortusername.sparseimage

In the case described by the poster of this hint, all you would have had to do to repair filefault is log out from the filevault protected user, log in from another user, and do some sudo command to replace the shortusername.sparseimage with the good sparseimage (and give it proper permissions)



[ Reply to This | # ]
Some possible fixes if FileVault goes awry
Authored by: mike666 on Mar 30, '05 05:54:20AM
Ah, I'm getting a better picture of this.

Close, Safar, but what actually happens is that when logged in, the user's home folder is renamed to .shortusername with the unmodified sparseimage inside it and then a new home folder is created and the mounted sparseimage is mapped to that. When the user logs out, all that reverses itself. At least this is what happens under 10.3.8. Since the logged-in folder structure was what I saw when viewing the contents of /Users while logged in as the other account on the machine - and the FileVault protected account wasn't logged in - something must've hung up during the closing process during the last logout of the FileVault protected account. My initial fix of renaming the folders would've worked had the sparseimage itself not been damaged. My client however, asked me to restore the data to a non-FileVault protected account - he was understandably leary of trusting FileVault again! I didn't go into it in the article, but I also received the machine (a TiPB 500) with outdated firmware, which might have actually been responsible for the whole FileVault debacle. It also took some doing, but I made sure the firmware was updated before I did any troubleshooting of the login problem.

[ Reply to This | # ]

Login via Console
Authored by: watersb on Mar 31, '05 02:00:25PM

You can log into the Console, and you will have a shell in multi-user mode without mounting the FileVault sparse image.

Then you can use the diskutil to mount an external disk (Firewire or USB) to restore your sparseimage backup (you *do* have a backup, right?) You can move your corrupted FileVault image out of the way by renaming it before restoring from your backup.

1) From System Preferences:Accounts:Login Options -- check the "user name and password" for the login panel, rather than the "list of users" option.

2) Log Out

3) When the login panel appears, type ">console" for the user name and hit Enter (no password). (And that is a greater-than character, then console, no spaces, no quotation marks.)

4) You will have a console with a login prompt; type your user name and password, and you'll be at a shell, where you can get your corrupted sparse image working again.

good luck...



[ Reply to This | # ]
Run diskutil repairVolume via console
Authored by: orca on Dec 07, '05 09:25:29AM

This console login trick is what worked for me. Disk Utility kept giving an error about being unable to finish the task when I logged in as another user to repair my FileVault sparseimage. I had my backups on hand, so I decided to drop to the console to resolve things:

  1. Enable user and password for the login screen
  2. Log out, then login as >console, then my user name
  3. Mount the image using hdiutilmount --stdinpass /Users/account/account.sparseimage (this lets you mount the disk without a graphical login)
  4. Run diskutil repairVolume /Volumes/account until no errors are reported. The first few attempts may state that repairs could not be completed, but as long as some repairs were done, you're making progress!
  5. Login normally. I noticed that some Desktop/Home icons were not correct, so I just logged out and back in once more
  6. Everything is ok!

This might be an avenue to try before paying for DiskWarrior. Manually running diskutil repairVolume seems to give a more determined effort than the GUI presented by Disk Utility's "Repair Volume" command.



[ Reply to This | # ]
Some possible fixes if FileVault goes awry
Authored by: rasalghul on Apr 13, '05 10:51:40PM

This post and the replies were a great help to me. My G5 wouldn't wake from sleep, so without thinking much of it, I restarted. When it came back up, everything in my home folder was gone. I simply found the .sparseimage, and I was set. Thanks.



[ Reply to This | # ]
Some possible fixes if FileVault goes awry
Authored by: geishaslave on Sep 01, '05 02:26:14AM

Hello everyone.

Thanks for reading this.

Just wanted to report that I had a client with the same issue described by mike666 and I was able to resurrect a corrupt .sparseimage file using a similar strategy.

What I did was log into an admin account then repair the .sparseimage file using Disk Utility. Though the repair said it was successful, from the user's account Disk Utility would fail with Verify or Repair citing 'invalid key length' and error -9972.

I double clicked on the .sparseimage icon in the left pane of Disk Utility and the greyed out icon of the mounted volume appeared. I then ran DataRescueX 10.4.3 to recover what was possible. DiskWarrior will probably also work. The Verify then click Stop trick did not work for me.

Perhaps my multiple attempts to repair the .sparseimage file fixed some of the problem enough to get it mounted under Disk Utility?

Anyway, the machine was a G5 PowerMac with Panther 10.3.9.

Thanks mike666 and I hope the above is helpful to other poor souls who put their faith in FileVault and did not have a backup.



[ Reply to This | # ]
Some possible fixes if FileVault goes awry
Authored by: cryptonomicon on Dec 03, '05 09:32:36PM

Another problem, that was laregly fixed by Apple, is when you first turn on FileVault your whole home directory can appear to have totally disappeared making you think you lost everything. In every case where this has happened to me, your data is perfectly fine. The problem is a key setting not being set correctly to tell Mac OS where to find your now encrypted data.

Go to /Applications/Utilities and open the NetInfo Manager Application. Select the "users" item in the middle column. In the next column to the right, find your username. For this example, I'll say the user's name is foobar. So, find foobar and select it. On the bottom of the window are a set of properties and values for your user account. Scroll through them to find the home_loc property. If this property is either missing or not set correctly, Mac OS won't properly mount your FileVault protected home directory, making it seem like all your data went missing.

To check the setting to make sure it is correct, first click the lock icon in the bottom left hand corner of the window (if it is not already unlocked). Assuming the home_loc property exists, click its value and make sure it is set to:

<home_dir><url>file://localhost/Users/foobar/foobar.sparseimage</url></home_dir>

Where foobar in both cases should be your username. If this is not what it is set to, or if the home_loc property doesn't exist, correct it.

Now relog in as the user and your data should all be there again, snug inside FileVault protection!



[ Reply to This | # ]
Thank you.
Authored by: incidentist on Jan 18, '06 05:09:30PM

I am in the process of copying an 8gb sparseimage to another machine. I found the damn thing thanks to this hint. My ass is saved. Thank you. I wouldn't have figured this out on my own.



[ Reply to This | # ]
Some possible fixes if FileVault goes awry
Authored by: shoke21 on Jun 12, '06 05:52:28PM

Ok here is my problem, i don't understand what you mean by "Enable user and password for the login screen", and "log out, then login as >console, then my user name" Where do i enable user and password, and where do i login as ">Console" and then how do i enter my user name. also when i am in terminal i enter "hdiutilmount -stdinpass /Users/account/account.sparseimage and it then tells me to enter pass code. what is the pass code because when i type my password it doesn't show characters, and when i hit return it either says that there is no such directory or that it timed out waiting for driver to boot
please please help!



[ Reply to This | # ]
Some possible fixes if FileVault goes awry
Authored by: jacobjacob on Aug 02, '06 12:21:05PM

It is kinda the same problem i have - did you find a solution?



[ Reply to This | # ]
Some possible fixes if FileVault goes awry
Authored by: jacobjacob on Aug 02, '06 11:32:47AM
hm i'm new be but am trying. I have a variant of the problem described above. I am trying the first step i.e. getting the sparseimage decrypted. But when trying i get the following

jacob:/jacob-kopi test$ hdiutil convert jacob.sparseimage -format UDRW -o newjacob.dmg

hdiutil: convert failed - acces denied

I told my key chain to give me acces every time (and should probably have chosen "one this time") now i'm in doubt whether i typed the PW wrong or there is something else wrong.

anyone who can help me... I promis to make back up in the future!!! i promis!!!

[ Reply to This | # ]

Some possible fixes if FileVault goes awry
Authored by: cdenesha on May 19, '10 12:06:00PM

Very nice hint that I will file away for future use. I'm looking to either use FileVault or my own sparse bundles.

thanks!

chris



[ Reply to This | # ]
Some possible fixes if FileVault goes awry
Authored by: violablue on Jun 05, '10 12:02:57PM

Thank you! Invaluable advice.

I recently bought a new Macbook and while trying to transfer over files, File Vault on my iMac became nightmare city. So I had to erase the MacBook and reload files.

So that got up and running again, but without my core files. The iMac File Vault would not allow File Sharing either. And I couldn't shut it off because it kept coming up as an error. So I did the delete User thing so I could root through files to my New User account (without File Vault) and wango, no permission to mount the image. Oh, stomach full of lead.

After leaving a panicked message with a Mac repair in the area my copying of the sparse image file finished (for a second file to play with in case I wrecked the only one). I tried to open the copy and it asked nicely for a password instead of just refusing permission, and it actually opened. Elation.

So never did get to drag it to Disc Utility.

Thank you thank you thank you!



[ Reply to This | # ]
Some possible fixes if FileVault goes awry
Authored by: cavenewt on Nov 10, '10 12:43:31PM

Thanks for the tip! This gave me some hints for how to fix a client's broken FileVault, which was in Leopard. I did discover that Disk Warrior 4.2 recognizes FileVault accounts as such, and can repair them--of course you need the password.



[ Reply to This | # ]