Crash Recovery of an OSX Lion FileVault disk
December 18th, 2011 Posted in security, technologyMy Apple iMac started to behave weird, with some Kernel Panics, grey screens and general crashes. While I was going through this I was pretty sure it wouldn’t hurt me as I had a TimeMachine for continuous backups. How wrong could I be!
After all crashed hard on me, I still managed to open the encrypted harddisk and made some backups by hand. I consider this quite a neat trick, so let me explain and perhaps save your day as well.
(updated with extra info)
Apple introduced a pretty strong disk encryption algorithm straight into OSX Lion. As a concerned person with security, I enabled this option. This also starts making encrypted backups in my TimeMachine. And a TimeMachine is a pretty decent backup device, which has saved me a couple of times already. But this time was different. When I started to get Kernel Panics from OSX, it somehow trashed the TimeMachine as well. It requested a full backup after a couple of days. I thought about it, but decided ‘what could be wrong about a fresh backup?’ But around the backup my Mac started to crash so frequently and wouldn’t fire up at all for most of the times.
So with my old MacMini I tried to see what was there. I was able to mount the TimeMachine disk and saw only a ‘Partial’ bundle. I managed to browse it (open package) and found a partly backup. My last backup-backup to my QNAP NAS was around June. So all in all I missed some important documents and photos from the last half year. I was not yet ready to give up digging and found a neat little trick to get a full backup!
My Mac did boot in ‘Repair Mode’ (Option-R during boot) and I could fiddle a little around with the repair tools. They worked fine, but a TimeMachine recovery did not work obviously and Terminal only saw a locked disk. Disk Repair utility fixed my disk and said all was well. Well, it wasn’t as in normal mode it would still hang or panic.
Then suddenly I saw the option to select a boot device! I could select my iMacHDD boot device and it asked for a password to look inside the device to see if it was bootable. So I entered my password and after some time it told me it was ready for a reboot. I denied and went back to the recovery tools!
This time the locked FileVault had been mounted and I was able to use Terminal to see the devices content through the command line! It seemed I was saved, as all documents and files seemed to be accessible in /Volumes/iMacHDD/Users !!
I mounted an empty USB device and copied as much as I could to this disk. It is not fast. It takes some proper planning (do not forget to browse the ~/Library) and some files are useless, but the disk is in read-only, so I opened another bash terminal (!) and deleted some files from the USB drive as soon as they were copied over (like Parallels disks, which I do not care too much about).
I am currently copying this backup to my RAIDed NAS and will fetch some more data from my iMac. But most important Pictures and Documents seem to be save.
So: choose boot device, let it mount after you entered the password, go back to repair tools and use your command line magic!
I consider myself quite lucky to be able to come up with this scenario and work through the motions.
And yes, I will make more secondairy backups from now on and only partially trust my TimeMachine.
UPDATE
While I am typing this, my iMac is back alive. It all seemed to start in retrospect when I installed (don’t ask) Adobe’s Shockwave player. I am not sure it caused the problem, but now all is fine after a full recovery and removal of this piece of software.
I bought a new large USB drive and formatted it with the DiskRepair tool during recovery. I formatted it with Apple’s filesystem HFS. My previous copying had deleted or scrambled most filedates. This time the disk was large enough to copy the entire disk. I used ditto this time as well.
In the mean time I was also able to mount my QNAP NAS over the network. Cifs did not work, and the command mount never worked, but /sbin/mount_afp worked fine (and my QNAP supports afp as well after a tick in the appropriate box).
I was able to do a full recovery during the reinstall of Lion from this my new USB disk. Apple has developed real nice software for this… if it works 
