Saturday 26 January 2019

Filevault Decryption stuck - blocking upgrades Mac OSX - Remedy re-image


Had a problem with a MacBook Air running High Sierra that got stuck decrypting FileVault.

Backstory  

FileVault was being used on an existing machine that had been passed along to a family member. The machine worked fine but occasionally would ask for a older user account to unlock the system when being rebooted.  Machine owner wanted to add a partner as another user account to the machine. This was done but it was found that the owner user had to the the one to unlock the system after a reboot or restart.  Decided to remove Filevault as this was a known cause of the single account to unlock syndrome.  Set system to remove encryption and handed back. Both accounts could now be used to unlock the system. This was not the end of the story as the system came back after getting stuck on an  OS upgrade. A number of related symptoms were seen.

Symptoms

1) Upgrade fails

After a couple of weeks when the MacBook was brought over the to house for a TimeMachine backup to the the Time capsule on the network at the house it was noticed that an upgrade was waiting to install.  When trying the upgrade the message "macOS could not be installed on your computer" and  "Unable to install to "Macintosh HD" Because it is currently encrypting data." "Quit the installer to restart your computer and start again."

  

2) Filevault Decryption progress bar bounces around as per this video.



3) fdsetup gives variable results ...

From Terminal output

House-MacBook-Air-2:~$ sudo fdesetup status 
Password:

FileVault is Off.
House-MacBook-Air-2:~$ sudo fdesetup status 
FileVault is Off.
Decryption in progress: Percent completed = 20.23
House-MacBook-Air-2:~$ 

Even after leaving machine switched on and set to not sleep the percent complete does not move.  Does not even make progress when system is awake and at the login screen, with no-one logged in the background.

4) diskutil says decryption is needed

Last login: Mon Jan 21 00:30:50 on ttys000
House-MacBook-Air-2:~$ diskutil cs list
CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group 2Cxxxxxx3-AA11-48A1-B90A-756xxxxxxF39
    =========================================================
    Name:         Macintosh HD
    Status:       Online
    Size:         250140434432 B (250.1 GB)
    Free Space:   18882560 B (18.9 MB)
    |
    +-< Physical Volume Dxxxxxx1A-1061-4343-8E2C-D8AxxxxxxD78
    |   ----------------------------------------------------
    |   Index:    0
    |   Disk:     disk0s2
    |   Status:   Online
    |   Size:     250140434432 B (250.1 GB)
    |
    +-> Logical Volume Family 1xxxxxxE-4477-4DC4-801F-80xxxxxxFB50
        ----------------------------------------------------------
        Encryption Type:         AES-XTS
        Encryption Status:       Unlocked
        Conversion Status:       Converting (backward)
        Reversion State:         Reverting
        High Level Queries:      Not Fully Secure
        |                        Has Visible Users
        |                        Has Volume Key
        |
        +-> Logical Volume 1xxxxxxD-B8AE-4390-93B0-E93xxxxxx13
            ---------------------------------------------------
            Disk:                  disk1
            Status:                Online
            Size (Total):          249769230336 B (249.8 GB)
            Conversion Progress:   Failed
            Revertible:            Yes (unlock and decryption required)
            LV Name:               Macintosh HD
            Volume Name:           Macintosh HD
            Content Hint:          Apple_HFS

Remedy

Despite a few reboots and leaving switched on for long periods both logged in and log out the decryption did not progress or resolve itself.  A hunt round the forums found a few others that had similar problems that had not been resolved.

The only feasible solution I found was to re-image the machine using the most excellent Time Machine.  
  1. Attach an empty external hard drive of larger capacity than the mac.
  2. Add the new drive as an extra Time machine drive.
  3. Wait until the back up competes to the new drive
  4. Check to ensure that the new backup is of the same size as the contents of the mac
  5. Unplug the backup drive
  6. Reboot machine holding  R to enter the recover console.
  7. Use disk utility to erase the main drive.
  8. Use "Recover from Time Machine backup" to restore the system. Noting but ignoring the warning about using encrypted data to restore an unencrypted drive.
  9. Restart machine once recovery is complete.
  10. Complete the OS upgrade from the AppStore.
  11. Remove the extra drive from the TimeMachine backup configuration
  12. Switch on Filevault again ( optional )
Sorry I could not find some fancy hack to free up the decryption just grateful that TimeMachine could  save the day ( again).












No comments: