Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Failure to Mount Encrypted APFS partition in my internal SSD

S

Scirroco

macrumors newbie
Original poster
Mar 23, 2013
24
4
Good evening.
MacBook Pro, 2018 2.7 GHz Quad-Core Intel Core i7, Touchbar, Sequoia 15.4, 1TB SSD.

I have the 1TB SSD organised with 2 containers with one being a 20GB encrypted APFS container 1 (disk1s1). The main, rest of the SSD, is Container disk 2 where the OS and all my regular apps and data are stored.

The encrypted disk shows up, greyed out, in Finder (screenshot attached) and the Info on it from Finder is shown in the other attached screenshot, Data volume.jpg

The encrypted disk its for storing personal data (banking information, health records etc) and is rarely used. It has been very reliable.

Today, I could not mount it when I wanted to add some extra information. My password was rejected. After several attempts at re-entering my password, and it is still failing to mount, I was hit with a message stating that too many attempts had been made and I should wait for 10 minutes before re-trying. I did and it failed again, except that I now had to wait 8 hours.

I have searched the internet for any solutions to this, including if there are any terminal commands that can rescue this. I have Time Machine Backups of the entire 1TB SSD, but can find nothing that indicates the encrypted disk has been backed up. Also, I have Carbon Copy clones of the entire SSD, but again nothing that I can see of the encrypted disk.

Finder Disks.jpg
Data volume.jpg
Any suggestions or advice would be more than welcome. Thank you.
 
Run Keychain Access. (I use Spotlight to find and run this: Command-space and type Keychain. Its path is '/System/Library/CoreServices/Applications/Keychain Access.app' if you prefer to do it that way.)

Select the login keychain in the side bar, and Passwords tab.

Scroll down (or use Search) to the name of your secret encrypted volume.

Double click to open. Click Show password and enter your login password. Copy and save/remember the password carefully.

Comments (which you may ignore):
1. You don't have to use a seperate partition/container, you can create an additional encrypted volume in the main container disk2.
2. You need to think through how to backup this volume. I suggest you don't want it in Time Machine as that would make it available to all users of your computer. Since you already have CCC, create a manual task to backup the secret volume to another secret volume on your backup disk. It all gets very complicated.
3. Since anyone with the login password can find the password of your secret volume, I question the point of it. Encrypt the boot/system disk (Lemon) and it will be opened when you login in. But maybe you let other people use your computer under your username and you trust them, etc. and hope they don't know how to use the secret disk and to find its password.
 
gilby101 said:
Run Keychain Access. (I use Spotlight to find and run this: Command-space and type Keychain. Its path is '/System/Library/CoreServices/Applications/Keychain Access.app' if you prefer to do it that way.)

Select the login keychain in the side bar, and Passwords tab.

Scroll down (or use Search) to the name of your secret encrypted volume.

Double click to open. Click Show password and enter your login password. Copy and save/remember the password carefully.

Comments (which you may ignore):
1. You don't have to use a seperate partition/container, you can create an additional encrypted volume in the main container disk2.
2. You need to think through how to backup this volume. I suggest you don't want it in Time Machine as that would make it available to all users of your computer. Since you already have CCC, create a manual task to backup the secret volume to another secret volume on your backup disk. It all gets very complicated.
3. Since anyone with the login password can find the password of your secret volume, I question the point of it. Encrypt the boot/system disk (Lemon) and it will be opened when you login in. But maybe you let other people use your computer under your username and you trust them, etc. and hope they don't know how to use the secret disk and to find its password.
Click to expand...
Thank you very much for your reply. Unfortunately/fortunately, I don’t use Keychain Access for storing this particular passsword - because of your Comment #3. I know that my “Secret disk” password is hard-wired into my brain and has always worked.
It is still (8-hours after computer turned off) not mounting and I think I am left with the only option of using either my Time Machine or Carbon Copy Cloner backups to recover the Secret Disk. Except I cannot see any sign of iit in those backups! All I can see are the contents of my non-encrypted, regular SSD.
Do you know if either of those 2 Backup apps do, in fact, backup encrypted, unmounted partitions/containers and how I might see them and recover them?
Would it be possible for me to now make a copy of the “Secret disk’ before everything goes completely belly-up?
Thank you for any help you might give.
 
Not looking good.

From what I understand of your scenario, I see why you went with the secret partition/volume. Always hard when you want/need to share with other people.

Backups: I would expect your TM and CCC backups to be backups of Lemon only unless you had done something to enable them. TM expects source drives to be always available, which you secret drive is not. CCC could have been configured with a backup task to backup the secret drive when mounted, but you would know if you had done that. So, sorry, from what you have said I think you don't have any backup.:( Also the backup would have been available to anyone using the computer.

A copy of your secret backup volume is not going to help without the password. Just keep it untouched and hope you remember the password soon. That is if it is a lapse of memory which, from what you have said, is unlikely.

If you were entertaining the possibility of malicious activity, someone else could have erased the secret volume and given it a new password. That would have removed any possibility of recovery.

Encryption protects from snooping, but not from destruction. Need to have the encrypted data on a physically secure device - e.g. an external SSD which you keep securely when not in use. And another physically secure device for backup!

Doom and gloom, unless someone else has better ides.
 
You say you know the password for the encrypted volume. Have you tried creating new administrator account and attempt to mount volume? Have you tried mounting the volume while booted into Recovery or external USB media?
 
Hmmm....
The encryption...
... is WORKING.

Sorry, had to say that.
Over years here at macrumors, I've posted again and again about the hazards of encrypting. When it works, it's great.
But... if it breaks?

When encryption goes haywire, it keeps YOU from getting at your data.

Sounds like you're going to have to go to your backup.
And.... YIPES!... the encryption is blocking you there, too...?

Don't you have this data kept "in the clear" (NO encryption) someplace?
Again, now you're finding out why not doing so can turn against you in "a moment of need".

If you can manage to "get at" things again, I'd suggest a change:
Instead of an APFS container, create an encrypted disk image on your "main" volume (where your home folder is).
I'm going to GUESS that it will be less susceptible to problems than an APFS container.

And... when you back up... find a way to store the data that's currently on the encrypted partition to your backup drive WITHOUT any encryption at all -- NONE.

Then, either put this drive in a safe, hide it someplace, etc.
Then... if your encryption fails you again, you DO have a copy of data "in the clear" that you can actually get to...

Personal experience:
The only encryption I use is:
a. An encrypted HFS+ partition on a backup drive I keep in my car as an "off-site" backup. The car could be stolen, and they'll "get the drive", but not the data. In this case, it's a necessary compromise. All my other drives (including backups) -- many of them -- are "in the clear".
b. A small (10mb) encrypted disk image I keep on my MacBook Pro, with a database of all my passwords in it (about 140 entries). Again, the MBP could be stolen, but the passwords are [hopefully] secure. I keep UNencrypted copies of this database on my "main Mac" at home.
 
@Bigwaff Many thanks for what could so easily have been a briilliant solution! I did create a new Admin account, logged into it, got prompted to enter the password for unlocking the “Secret disk” and ……. it failed (with a prompt to try again in 8 hours). I am 100% certain that my password is correct; I use the same password for another security feature on my computer and that still works. It is not a mis-remembered password failure. I have also tried mounting it in Recovery mode - no joy. And i have no bootable USB devices, otherwise I would have tried your other suggestion.
I am the only person who uses this computer - malware is not remotely suspected, or malicious access to the partition.
I think I am now going to have to admit defeat, but thank you and @gilby101 for your constructive help.Disk locked.jpg
 
Fishrrman said:
Hmmm....
The encryption...
... is WORKING.

Sorry, had to say that.
Over years here at macrumors, I've posted again and again about the hazards of encrypting. When it works, it's great.
But... if it breaks?

When encryption goes haywire, it keeps YOU from getting at your data.

Sounds like you're going to have to go to your backup.
And.... YIPES!... the encryption is blocking you there, too...?

Don't you have this data kept "in the clear" (NO encryption) someplace?
Again, now you're finding out why not doing so can turn against you in "a moment of need".

If you can manage to "get at" things again, I'd suggest a change:
Instead of an APFS container, create an encrypted disk image on your "main" volume (where your home folder is).
I'm going to GUESS that it will be less susceptible to problems than an APFS container.

And... when you back up... find a way to store the data that's currently on the encrypted partition to your backup drive WITHOUT any encryption at all -- NONE.

Then, either put this drive in a safe, hide it someplace, etc.
Then... if your encryption fails you again, you DO have a copy of data "in the clear" that you can actually get to...
Click to expand...
just seen your post and (on hindsight) I agree with EVERYTHING you write. All too late now. My original thinking was related to my attitude to Keychain Access, specifically Secure Notes. I built up a whole bank of separate Secure Notes and had these in a separate Keychain, with a different password. Everything wonderful, right up until Apple went onto Passwords App and deprecated Keychain Access (although it is still available and I still use it).
My “Secret disk” routine was nothing special …… I thought, just a minor security modification.Events have prompted a major re-adjustment in thinking.
Thank you for your suggestions - more than helpful for the future.
 
Wild guess on my part as assuming OP layout is unusual and probably not an Apple QC use case...

Says 15.4, wonder if something during upgrade went and updated/modified something (other than base OS) in the first container that corrupted the second container? New/bigger recovery, preboot, VM? In the past, and assuming similar these days, updates/installs would modify/add the hidden volumes, and maybe some improper use of low-level routines, calculation on additional space needs, whatever, messed up some bits in container #2.
 
Last edited:
@Scirroco Do you recall which version of macOS used to create the encrypted APFS volume? At this juncture, I would download Sonoma and create USB install media. Mist is a wonderful utility and can create the USB install media with a single action. A 32GB flash drive works perfectly.
github.com

GitHub - ninxsoft/Mist: A Mac utility that automatically downloads macOS Firmwares / Installers.

A Mac utility that automatically downloads macOS Firmwares / Installers. - ninxsoft/Mist
github.com github.com

You don't have to install Sonoma, just boot from the external USB media by holding down Option while booting until you see the boot picker. Once booted into Sonoma via USB media, try to mount using Disk Utility. Another option would be to try internet Recovery (Option+Shift+Command+R while booting). This will boot Recovery from the version of macOS which came with your Mac or the closest version still available. Be patient as internet Recovery can take a very long time to download and boot. Try to mount using Disk Utility in internet Recovery.

If these options don't get you into the encrypted volume, I would have to say Sequoia 15.4 has confused your boot volume and the non-boot encrypted volume, especially because you see the message about trying again after some period of time. I've honestly never seen this with encrypted APFS volumes which are not the boot volume. Instead of the encrypted volume password, try your administrator account password. Perhaps weirdly you need to unlock the disk using your administrator password and then unlock the volume using the encrypted volume password. It might be two steps.... ¯\_(ツ)_/¯
 
If you very helpful guys can bear with me, here is feedback from your suggestions …..

  1. Decided to follow BiigWaff’s advice and boot from a Sonoma USB flash drive. Top tip about using Mist to prepare the drive! Except I followed the link to the GitHub page, looked at the contents and my head exploded - I had not a clue on how to proceed! (Except, right at the bottom of that page were 2 shortcuts , the first leading me to install Homebrew from Terminal and the second how to install Mist from a single Terminal command). I selected Sonoma 14.7.5 from the list of available OS to make the bootable USB (32GB Kingston flash drive) and left it to do its thing.
  2. I disabled all of the MacBook’s start-up security features (in Recovery mode) and restarted to boot from the flash drive. It dropped out half-way through the boot process and reverted to a normal boot. The flash drive was defective. I have ordered 2 new SanDisk 32GB drives, arriving tomorrow and will try again.
  3. I then tried to boot from the OS that was supplied when the computer was new (Internet Recovery - CMD+Shift+Option+R), the OS got downloaded and run failed with error 1008f, which turns out to be having to disable Activation lock by turning off Find My. Returned to Internet Recovery and when the downloaded OS had started, I saw that it was Sequoia!. Whilst at that stage, I diid try to mount my “Secret disk”, which failed for the same reasons as I have previously described, giving me another 4 hours before I could try again.
  4. Having too much time on my hands, I decided to examine the computer with EtreCheckPro to see if it would throw anything up. What it diid produce in its report (apart from telling me that my MacBook was ‘“Vintage”) were some apparent anomalies, which I don’t understand:

Drives:
disk0 - APPLE SSD AP1024M 1.00 TB (Solid State - TRIM: Yes)
Internal PCI-Express 8.0 GT/s x4 NVM Express
S.M.A.R.T. Details: 5% used, 102.31 TB written, 100% health, 143 unsafe shutdowns
disk0s1 - EFI [EFI] 315 MB
disk0s2 [APFS Container] 980.24 GB
disk2 [APFS Virtual drive] 980.24 GB (Shared by 6 volumes)
disk2s1 - L***** - Data (APFS) [APFS Virtual drive] (321.56 GB used)
disk2s2 - Preboot (APFS) [APFS Preboot] (2.60 GB used)
disk2s3 - Recovery (APFS) [Recovery] (1.33 GB used)
disk2s4 (APFS) [APFS Container] (11.24 GB used)
disk2s4s1 - L***n (APFS) [APFS Snapshot] (11.24 GB used)
disk2s5 - VM (APFS) [APFS VM] (20 KB used)
disk2s6 - Update (APFS) (3 MB used)
disk0s3 [APFS Container] 20.00 GB
disk1 [APFS Virtual drive] 20.00 GB (? My “Secret drive"
disk1s1 - N******a (APFS) (17.79 GB used) (this is my “Secret drive” data


Mounted Volumes:
disk2s1 - L***** - Data [APFS Virtual drive]
Filesystem: APFS
Mount point: /System/Volumes/Data
Encrypted
Used: 321.56 GB
Shared values
Size: 980.24 GB
Free: 643.29 GB
Available: 655.23 GB

In the main “Drives” section, the main, whole 1TB drive is drive 0, with sub-drive (?) being laid down. Presumably (in bold), disk0s3 is my “Secret drive” of 20GB, but then immediately below that is disk1, a virtual drive, also of 20GB and the actual data stored in disk1s1.

In the “Mounted Volumes” section, disk2s1, my regular data storage disk, this disk is flagged as being Encrypted (Bold text), but it isn’t!

In Disk Utility, the “Secret drive” is also Container disk1, with device disk1s1. However, when I was in Recovery Mode Disk Utility, the “Secret drive” was no longer either disk0s3 or disk1, but was container disk2!

Following on from this, I noticed that each time I was booting into Recovery Mode, I was offered the chance to recover my “Secret drive” or “Lemon” (the name of my SSD) in the opening screen icons. Strangely (to me) “Secret drive” was positioned before “Lemon”, rather than after it, as usual when I have previously booted into Recovery Mode when this problem was not present.

If I have to admit defeat on this, I am imagining an erase, clean re-install of Sequoia, all apps and regular data. If I did that, but did not erase either the partition “Secret drive” or its contents, would the drive be accessed by the re-installed OS with my password or would everything be corrupt? NoBoMac’s suggestion seems very credible.

I forgot to mention that I had been running Sequoia in Beta stages over the past couple of months and that the problem arose recently, only following the installation of the final release version of Sequoia 15.4. Pertinent?

Thank you for reading this far and for your tolerance and help!
 
Last edited:
macnavarra said:
Apple account Recovery code, may help!
Click to expand...
Um …. thank you for your response, but I am at a loss at seeing how an account recovery code might help? Sorry if I’m being thick, but I haven’t lost access to my account/s on the computer, just an encrypted part of my hard drive. Everything else is functioning normally and well. But thank you again! :)
 
Scirroco said:
In the “Mounted Volumes” section, disk2s1, my regular data storage disk, this disk is flagged as being Encrypted (Bold text), but it isn’t!
Click to expand...

It is encrypted. Touch Bar Macs have a T2 chip which encrypts everything.

Volume encryption with FileVault in macOS

In Mac OS X 10.3 or later, Mac computers provide FileVault, a built-in encryption capability to secure all data at rest.
support.apple.com

If FileVault isn’t turned on in a Mac with Apple silicon or a Mac with the T2 chip during the initial Setup Assistant process, the volume is still encrypted but the volume encryption key is protected only by the hardware UID in the Secure Enclave.
Click to expand...

At this point, might be wise to backup what you can and re-format/install. Read the following as looks like you might be running out of runway re how many attempts to unlock are left.

Passcodes and passwords

To protect user data from malicious attack, Apple uses passcodes in iOS, iPadOS, and visionOS, and passwords in macOS.
support.apple.com

Yes, something got messed up, could be a bug in MacOS, could be the odd configuration you are running or even did with it, but at this point it seems to be becoming a less important problem with each attempt to unlock as might wipe everything out after attempts are exhausted due to whatever the unknown root cause is.
 
NoBoMac said:
It is encrypted. Touch Bar Macs have a T2 chip which encrypts everything.

Volume encryption with FileVault in macOS

In Mac OS X 10.3 or later, Mac computers provide FileVault, a built-in encryption capability to secure all data at rest.
support.apple.com



At this point, might be wise to backup what you can and re-format/install. Read the following as looks like you might be running out of runway re how many attempts to unlock are left.

Passcodes and passwords

To protect user data from malicious attack, Apple uses passcodes in iOS, iPadOS, and visionOS, and passwords in macOS.
support.apple.com

Yes, something got messed up, could be a bug in MacOS, could be the odd configuration you are running or even did with it, but at this point it seems to be becoming a less important problem with each attempt to unlock as might wipe everything out after attempts are exhausted due to whatever the unknown root cause is.
Click to expand...
  1. It is encrypted. Touch Bar Macs have a T2 chip which encrypts everything. Never knew that! Thank you.
  2. Read the following as looks like you might be running out of runway re how many attempts to unlock are left. Again, thank you for that. Gulp!
  3. .. becoming a less important problem with each attempt to unlock as might wipe everything out. And I have to agree with that.
Many thanks for teaching me some essentials and for nudging me into the re-format/re-install path. Much appreciated.
 
Something to try before going full nuclear option: Remove the hidden container/volume. Everything else should/could be ok and would not need to reinstall anything.

(But still backup what you can before trying this)
 
Thank you for taking the time for this. Done it already (Time Machine AND Carbon Copy Cloner) and I reckon a full complete erase, re-format and re-install is probably worth it now. Many thanks again.
 
After you recover your data, and if you still want an encrypted disk of some kind, I recommend using an encrypted disk image. A disk-image will maintain the full-disk encryption of the volume itself, and also maintain any permissions and ownership of the files.

I also recommend the sparsebundle format for that disk image, because that's the most flexible, and will need the fewest updates when doing Time Machine backups.

You can keep the encrypted sparsebundle on any format of disk, including ExFAT, or even FAT16 or FAT32. The only thing the storage needs is the ability to have folders with many 8MB files within it.

A disk image can still be susceptible to corruption and loss of data, such as if you remove its media without a safe-eject first.
 
  • Like
Reactions: Brian33
A very good suggestion and, once my laptop is “re-built”, I shall certainly be adopting it. Many thanks for taking time to post this.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back