Home > Mac Data Recovery Tips

Failed to Unlock an Encrypted Disk: Reasons and Fixes 

Updated on Tuesday, December 3, 2024

Written by

Jessica Shee

English Français Deutsch

When you are using iBoysoft Data Recovery for Mac to scan an encrypted disk for lost data, the software will ask you to unlock the disk with the correct password first. Then the data on the disk can be decrypted for scanning and recovering.

However, you keep receiving an error message like "the password is incorrect" even though you entered the correct password. Why can't you unlock your encrypted disk for data recovery? This article will give you answers and address your problem according to how this disk or volume is encrypted.

 Tips: You can click the "Skip" button to skip entering your password to unlock the encrypted disk or volume. iBoysoft Data Recovery will continue to scan the selected storage for data that has not been encrypted. But if you want to recover data that has been encrypted in the device, you will still need the correct password or recovery key to unlock it later.

 

Disk or volume uses an encrypted APFS file system

If you choose an encrypted APFS as the file system for your disk or a volume, you will be required to manually set up a password when creating.

The most likely reason why your disk or volume can't be unlocked successfully is that your password is incorrect. If you copy the password from a file, make sure you don't copy any unnecessary space. If you changed the password, try to recall the new password for it.

Another cause might be your disk or volume has been reformatted. Reformatting an encrypted APFS disk will destroy or wipe the intermediary key stored on the disk that is decrypted under the correct password input. As a result, even with a correct password, you can't unlock your encrypted APFS volumes or hard drives. So, iBoysoft Data Recovery for Mac will report your password is not working.

 

The hard drive or volume is encrypted by a third-party encryption application

Using third-party software to encrypt and protect data is a common practice. However, the drive encrypted by a third-party service probably can't be recognized or unlocked on Mac without according software. The same is true for iBoysoft Data Recovery for Mac.

In this scenario, you need to install the same application that you used to encrypt your drive and unlock it using the app. Then you can use iBoysoft Data Recovery for Mac to scan it for lost data.

The disk is encrypted by FileVault 2

A FileVault-protected hard disk can be unlocked either by the correct password or recovery key. Find the correct password and recovery key according to your disk type.

The startup disk is encrypted by FileVault 2

If you turned on FileVault 2, the native full-disk encryption feature in macOS beginning from OS X 10.7, to encrypt Mac's internal startup disk, you will have one of the two or three ways (depending on which version of macOS you are using) to unlock a FileVault-enabled disk.

  • Use your Mac login password to unlock a FileVault-encrypted disk because the login password is by default the password for FileVault if you have never changed it
  • Access your recovery key or reset your password in iCloud
  • Use the recovery key created and stored in a safe place when you turn on FileVault for the first time

The external disk is encrypted by FileVault 2

If you used FileVault to encrypt an external hard drive with iBoysoft DiskGeeker or other third-party software with the FileVault feature, you will have two options to unlock the disk:

  • Use the self-designed password when you encrypted the disk
  • Use the generated recovery key you either backed up in a file or printed out

Still can't unlock and decrypt your FileVault-encrypted drive even though you use the correct password or recovery key? Like a disk with encrypted APFS format, the intermediary key in FileVault, which is also called the volume key KEK that decrypts the volume master key under password or recovery key input, probably has been destroyed or erased by reformatting or disk damages. In this situation, iBoysoft Data Recovery can't use your password or recovery key to unlock and decrypt files.

 

Drive is encrypted by Apple's T2 security chip and Apple silicon

A Mac with a T2 security chip and Apple silicon uses the Secure Enclave subsystem to provide an extra layer of security to your Mac and keep sensitive data secure on Mac's startup disk. If you do not encrypt your startup disk by FileVault, an encrypted file system, or other encryption methods, your hard disk is still encrypted by the Apple processor. 

In addition, the hard disk requires no user password to unlock but the unique ID (UID) root cryptographic key which is randomly generated by the Secure Enclave TRNG (True Random Number Generator) and fused into the SoC at manufacturing along with a GID (Device Group ID) by the Secure Enclave AES Engine.

The most possible reason why you can't unlock the hard drive from a Mac with a T2 security chip or Apple silicon is that the disk is remotely wiped in Find My app on another Apple device. To avoid data leaks after your Mac is stolen or lost or before you sell or give away your device, Apple allows users to remotely erase your Mac by completely wiping the UID root cryptographic key. That is the quickest and most secure way to shut everybody out of your Mac.  

As a result, when you use iBoysoft Data Recovery for Mac to scan your startup disk from a T2-secured or Apple silicon-equipped Mac, no password will be accepted to unlock the startup disk. Even though you attach the encrypted startup disk to another T2 or Apple silicon Mac, you still won't be able to unlock it because the UID root cryptographic key is device-specific.

 

Conclusion

Depending on the disk types and encryption methods, the causes why you failed to unlock a disk or volume are different. Most of the time, if you have the correct password or recovery key, you can unlock an encrypted storage device. But if your encrypted disk has been reformatted or your Mac has been remotely wiped, it is nearly not possible to unlock it and perform data recovery.