Filevault Decryption stuck - blocking upgrades Mac OSX - Remedy re-image

Had a problem with a MacBook Air running High Sierra that got stuck decrypting FileVault.

Backstory  

FileVault was being used on an existing machine that had been passed along to a family member. The machine worked fine but occasionally would ask for a older user account to unlock the system when being rebooted.  Machine owner wanted to add a partner as another user account to the machine. This was done but it was found that the owner user had to the the one to unlock the system after a reboot or restart.  Decided to remove Filevault as this was a known cause of the single account to unlock syndrome.  Set system to remove encryption and handed back. Both accounts could now be used to unlock the system. This was not the end of the story as the system came back after getting stuck on an  OS upgrade. A number of related symptoms were seen.

Symptoms

1) Upgrade fails

After a couple of weeks when the MacBook was brought over the to house for a TimeMachine backup to the the Time capsule on the network at the house it was noticed that an upgrade was waiting to install.  When trying the upgrade the message "macOS could not be installed on your computer" and  "Unable to install to "Macintosh HD" Because it is currently encrypting data." "Quit the installer to restart your computer and start again."

  

2) Filevault Decryption progress bar bounces around as per this video.

3) fdsetup gives variable results ...

From Terminal output

House-MacBook-Air-2:~$ sudo fdesetup status 

Password:

FileVault is Off.

House-MacBook-Air-2:~$ sudo fdesetup status 

FileVault is Off.

Decryption in progress: Percent completed = 20.23

House-MacBook-Air-2:~$ 

Even after leaving machine switched on and set to not sleep the percent complete does not move.  Does not even make progress when system is awake and at the login screen, with no-one logged in the background.

4) diskutil says decryption is needed

Last login: Mon Jan 21 00:30:50 on ttys000

House-MacBook-Air-2:~$ diskutil cs list

CoreStorage logical volume groups (1 found)

|

+-- Logical Volume Group 2Cxxxxxx3-AA11-48A1-B90A-756xxxxxxF39

    =========================================================

    Name:         Macintosh HD

    Status:       Online

    Size:         250140434432 B (250.1 GB)

    Free Space:   18882560 B (18.9 MB)

    |

    +-< Physical Volume Dxxxxxx1A-1061-4343-8E2C-D8AxxxxxxD78

    |   ----------------------------------------------------

    |   Index:    0

    |   Disk:     disk0s2

    |   Status:   Online

    |   Size:     250140434432 B (250.1 GB)

    |

    +-> Logical Volume Family 1xxxxxxE-4477-4DC4-801F-80xxxxxxFB50

        ----------------------------------------------------------

        Encryption Type:         AES-XTS

        Encryption Status:       Unlocked

        Conversion Status:       Converting (backward)

        Reversion State:         Reverting

        High Level Queries:      Not Fully Secure

        |                        Has Visible Users

        |                        Has Volume Key

        |

        +-> Logical Volume 1xxxxxxD-B8AE-4390-93B0-E93xxxxxx13

            ---------------------------------------------------

            Disk:                  disk1

            Status:                Online

            Size (Total):          249769230336 B (249.8 GB)

            Conversion Progress:   Failed

            Revertible:            Yes (unlock and decryption required)

            LV Name:               Macintosh HD

            Volume Name:           Macintosh HD

            Content Hint:          Apple_HFS

Remedy

Despite a few reboots and leaving switched on for long periods both logged in and log out the decryption did not progress or resolve itself.  A hunt round the forums found a few others that had similar problems that had not been resolved.

The only feasible solution I found was to re-image the machine using the most excellent Time Machine.  

1. Attach an empty external hard drive of larger capacity than the mac.
2. Add the new drive as an extra Time machine drive.
3. Wait until the back up competes to the new drive
4. Check to ensure that the new backup is of the same size as the contents of the mac
5. Unplug the backup drive
6. Reboot machine holding  R to enter the recover console.
7. Use disk utility to erase the main drive.
8. Use "Recover from Time Machine backup" to restore the system. Noting but ignoring the warning about using encrypted data to restore an unencrypted drive.
9. Restart machine once recovery is complete.
10. Complete the OS upgrade from the AppStore.
11. Remove the extra drive from the TimeMachine backup configuration
12. Switch on Filevault again ( optional )

Sorry I could not find some fancy hack to free up the decryption just grateful that TimeMachine could  save the day ( again).

What a disk worth ?

A friend has a newish Power Mac and loves the box. Unfortunately it crapped out during an upgrade to Leopard with a hard disk error and had to be reinstalled losing all the data. That was a warning, as just this week the disk died completely to the point of not being seen at boot time or by disk utility. An Apple-care call to Apple was made and a disk exchange was agreed. The standard exchange a faulty part was dispatched under the "DIY repair" process that removes the need for a "return to base" repair but the faulty drive has to be sent back in exchange.

There has been recent concern about returned hardware being "re manufactured" back into the field and service folks rummaging contents so there is reason to worry about data security.

All very good so far but what is that returned disk worth ? The dead mechanicals not very much but the data on the drive can be priceless. It has all his email, password vault and documents. Chances are that the data is not recoverable but that could not be said for some drives returned under warranty. There is now no chance to wipe the disk and mechanical destruction would invalidate the return. He could of course buy his own replacement drive but then that is a waste of the extended warranty payment.

I guess it comes down to a matter for trust or using a drive/account encryption program such as Filevault to prevent data recovery from a lost hard drive.

Gannett