See also: What does “FileVault: No (Encrypted at rest)” mean?
As a developer and researcher, I need some APFS volumes on a T2 Mac decrypted to the point that reading their raw blocks, e.g. with the
dd command, will show me the unencrypted content. How do I achieve that, provided I have full access (and authentication) to the Mac and its on-disk data?
I’d either need a way to decrypt the blocks after reading them (e.g. from
/dev/diskXsY), or would need to have macOS decrypt them fully, just like some hidden volumes (“Preboot”, “Recovery”, “VM”) are already by default.
With pre-T2 Macs this was easy: I would issue the command
diskutil apfs decrypt diskXsY. But on a T2 Mac, this leads to the message:
APFS Volume diskXsY is not FileVaulted
How do I get raw access to the unencrypted content of these volumes’ blocks? Be it by using some command to decrypt them permanently, or getting the information on how to write code to decrypt the blocks on-the-fly.
Note: I do not plan to remove the SSD from the Mac – I just want to be able to scan the APFS structures of these volumes while they’re inside that Mac, and for that I need them decrypted.
Another benefit of answering this question: Decrypting the volumes permanently should enable a user to clone the raw disk (i.e. its containers) to another Mac, where one could then re-encrypt the data (if there’s a process for that).