Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: MeMeMeMeMe
MeMeMeMeMe Author
User level: Level 1
9 points

Diskutil eject does not 're-lock' Filevault encrypted volumes on external drive

Man documentation for diskutil...


http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/ man8/diskutil.8


... states that the diskutil eject command can be used to "re-lock" a corestorage volume that has been previously unlocked:


"To 're-lock' the volume, make it offline again by ejecting it, e.g. with diskutil eject."


I have an external hard drive with several Filevault 2 encrypted partitions (OSX 10.8.3) . Once a volume is unlocked using diskutil corestorage unlockVolume, when the volume is subsequently ejected using diskutil eject, it shows the disk as unlocked after ejecting. After ejecting, I can look with diskutil corestorage list and find:


| Encryption status: Unlocked


Indeed, after ejecting, the disk can be re-mounted and the files accessed without re-entering the Filevault password for the volume.


The only means I have for restoring the disk to the locked status is to restart the machine.


What is the correct way to "re-lock" a corestorage volume?


Below is the output for the drive using diskutil corestorage list after unlocking with diskutil corestorage unlockVolume and then ejecting with diskutil eject.



+-- Logical Volume Group ####

| =========================================================

| Name: ####

| Status: Online

| Size: 498058510336 B (498.1 GB)

| Free Space: 0 B (0 B)

| |

| +-< Physical Volume ####

| | ----------------------------------------------------

| | Index: 0

| | Disk: disk1s4

| | Status: Online

| | Size: 498058510336 B (498.1 GB)

| |

| +-> Logical Volume Family ####

| ----------------------------------------------------------

| Encryption Status: Unlocked

| Encryption Type: AES-XTS

| Conversion Status: Complete

| Conversion Direction: -none-

| Has Encrypted Extents: Yes

| Fully Secure: Yes

| Passphrase Required: Yes

| |

| +-> Logical Volume ####

| ---------------------------------------------------

| Disk: disk2

| Status: Online

| Size (Total): 497739735040 B (497.7 GB)

| Size (Converted): -none-

| Revertible: No

| LV Name: ####

| Volume Name: ####

| Content Hint: Apple_HFS

Mac mini, OS X Mountain Lion (10.8.3)

Posted on Apr 2, 2013 1:41 AM

Reply
25 replies
User profile for user: MeMeMeMeMe
MeMeMeMeMe Author
User level: Level 1
9 points

Nov 8, 2013 1:24 PM in response to fred724

fred724 wrote:


The best work around for this issue is to format the external drive using HFS+ journaled encrypted from the diskutil options. Set your password and be sure to not save to keychain. My external encrypted drives always ask for the pw again after I unmount and remount them (in the same session).


ed724


Well,


I have 5 encrypted and two unencrypted partitions on my external drive, and all were formatted originally using diskutil and formatting as HFS+ journaled encrypted. Without any of the passwords entereded in keychain, the encrypted partitions can be ejected and remounted from diskutil at will, over and over, without re-entering the password after it is entered only once (again, without entering the password in keychain). Once mounted, only way to "eject" any of the encrypted partitions so that they will require a password to re-mount without rebooting, is to unplug the external drive holding the partitions. (This is despite what man diskutil says.) Which does me no good if I am not physically next to the computer.

I will try a different drive with only a single partition to see if what you say is true, but what you are saying doesn't seem to jibe with what others are saying


Are you sure you are not physically unplugging the external drive before remounting it? If so, that is not what anyone here is talking about.

Reply
User profile for user: unoriginalnick
unoriginalnick
User level: Level 1
25 points

Jan 25, 2014 11:16 PM in response to MeMeMeMeMe

I've found a temporary workaround to lock the volume without restarting or disconnecting from USB:


$sudo kextunload -pb com.apple.driver.CoreStorage


Unmount first to (hopefully) prevent file system corruption, then the above will kill all CoreStorage processes and relock the volume. I tested it a couple of times and it seems to work. I had to re-load the kext to unlock the volume again, but I got it to work.


To reload the kext:


$sudo kextload -b com.apple.driver.CoreStorage


Hopefully Apple will wake up and fix this ridiculous security hole soon.

Reply
User profile for user: MeMeMeMeMe
MeMeMeMeMe Author
User level: Level 1
9 points

Jan 28, 2014 1:29 AM in response to sydlow

AlienCamel.com wrote:


Agree. While there is a

diskutil coreStorage unlockVolume command

there is no lock or re-lock command that I can find.


"man diskutil" under corestorage states "To 're-lock' the volume, make it offline again by ejecting it, e.g. with diskutil eject."


This does not work. If they're not going to fix it, they should update their man page.

Reply
User profile for user: himerus
himerus
User level: Level 1
9 points

Apr 30, 2014 2:10 PM in response to MeMeMeMeMe

Yeah, just discovered this as I was setting up a new USB drive to be encrypted and password protected.


It's a low profile USB that I'd plan to leave plugged in to the USB port almost always. However, I'd like to "eject" the drive when I'm done working with it, and any attempt to mount the drive through Disk Utility should then prompt me for the password again.


The only options being rebooting or unplugging the USB is NOT an option!! Seems like this one has been around for quite some time, and should be fairly simple to fix.


PLEASE FIX!!

Reply
User profile for user: Maltz
Maltz
User level: Level 1
4 points

Oct 31, 2014 11:50 AM in response to MeMeMeMeMe

I'm happy to report that this appears to have (FINALLY!!) been fixed in Yosemite. I can either drag the icon to the trash or use "diskutil eject" with either the mount path or the UUID and it will eject AND LOCK the volume. The option to Mount in Disk Utility is changed to Unlock and I have to provide the passphrase to unlock the volume.


One note, though... The manpage says that unlocking a volume will both attach and mount it. It seems that it is only unlocked, and you have to mount it manually. No big deal, just click the Mount button in Disk Utility or run "diskutil mount" after unlocking, but it seems they still can't get the manpage and the utility to agree 100%. lol

Reply
User profile for user: wqdw
wqdw
User level: Level 1
0 points

Jun 24, 2015 1:15 AM in response to MeMeMeMeMe

I'm having a similar but different issue with a drive connected by USB caddy. I eject by dragging into trash or finder window, physically remove the drive, try it in a new mac which asks for a password but then when put back into the caddy I can get straight back in no password needed...

I'm wondering if my encryption is screwed or if the mac is storing passwords even though not asked to in keychain and even with the caddy being turned off.

Reply
User profile for user: sydlow
sydlow
User level: Level 2
477 points

Sep 16, 2016 5:53 AM in response to Maltz

"I'm happy to report that this appears to have (FINALLY!!) been fixed in Yosemite. I can either drag the icon to the trash or use "diskutil eject" with either the mount path or the UUID and it will eject AND LOCK the volume. The option to Mount in Disk Utility is changed to Unlock and I have to provide the passphrase to unlock the volume."


It's not fixed for me in 10.11.6

I can just remount an ejected volume without a password in keychain

Reply

Diskutil eject does not 're-lock' Filevault encrypted volumes on external drive

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up