How to recover data from an encrypted Apple APFS volume

In contrast to HFS+, the modern Apple’s APFS file system employed in macOS 10.13 High Sierra and later has native support for disk encryption. This makes it capable of protecting critical user data at the file system level, without the need for an extra layer of abstraction provided by Core Storage. Still, in spite of its modern security features, the technology certainly does not guarantee the prevention of data loss. It may happen as a result of various factors, like a human error or power failure. Fortunately, files lost from an encrypted APFS volume on the internal drive or an external device can be decrypted with the correct password or recovery key. After that, it can be restored to any safe location, unless severe damage has destroyed the parts of the disk which keep the information essential to decrypt the data (encryption key file, metadata, etc.). Follow the offered instruction to decrypt your Apple storage and rescue the encrypted data in UFS Explorer of the Standard, RAID, or Network RAID editions. If you are going to use UFS Explorer Professional Recovery, please refer to the second instruction.

For UFS Explorer of the Standard, RAID or Network RAID editions

1. Attach your device locked by Apple APFS to the computer.

Connect the encrypted portable hard drive to your Mac. In case of an internal storage, you will need to remove it from the computer and use with another PC as a secondary drive or launch your Mac in a safe environment with the help of UFS Explorer Backup and Emergency Recovery CD. One may also work on the same Mac, but this approach requires disabling System Integrity Protection, as described in Unblocking access to macOS drives. Yet, the latter option is inadvisable due to a high possibility to overwrite the data. Furthermore, the information cannot be recovered from the system drives of Mac models that rely on Apple’s M1 (Apple Silicon) or T2 security chips, as is further explained in the provided article.

Hint: Please rely on the instructions to plug the disk into the motherboard or сonnect the drive externally using a USB to SATA/IDE adapter.

2. Install and run UFS Explorer Standard Recovery, UFS Explorer RAID Recovery or UFS Explorer Network RAID.

Open the software with elevated privileges by entering the correct username and password. The program will list all the connected drives in the left pane. The logical volumes of each physical device will show up under it.

Hint: If you have any difficulties with the installation of the utility, please refer to the installation manual for the employed edition of UFS Explorer.

3. Find the required encrypted APFS volume among the displayed

Examine the list for the presence of an APFS partition indicated with a yellow padlock icon.

Hint: If you want to learn more about how different drives and volumes are labeled in the interface of UFS Explorer, please refer to Identification of different storages and technologies.

4. Decrypt the storage in the application to unlock its content.

Although the file system may be labeled as accessible, no valid data can be retrieved from it until it gets deciphered. For this, open the volume’s context menu and choose the "Decrypt encrypted APFS volume" option from it. In the opened dialog, type in the correct user password or paste the recovery key into the respective field.

5. Run a scan on the decrypted volume to get back deleted or lost files.

After successful decryption, the volume will become unlocked and its content will be accessible in the program. You can also look for deleted or lost files by scanning the storage. Get the "Scan this storage" tool from the toolbar, deselect all file systems, except APFS, and hit the "Start scan" button.

Hint: More information about configuring the scan can be found in the instruction on scanning a drive with UFS Explorer.

6. Check off the necessary recovered elements and save them to another location.

After the scanning is accomplished, navigate through the file system reconstructed by the application and find the folders and files you need. Then, click "Define selection", enable the checkboxes next to them and hit "Save selection". After that, specify a safe destination storage for copying.

Hint: The information provided in Evaluation and saving the results of data recovery may facilitate your work with the obtained folders and files.

Hint: If you are going to save the recovered data to a network storage, please check the provided guide.

For UFS Explorer Professional Recovery

1. Connect your encrypted Apple APFS device to the computer.

Plug the encrypted external drive into the Mac. If you need to work with the system disk, in order to get access to it, you will have to extract it from the machine and attach it to another computer as a secondary storage or boot your Mac in a safe environment using UFS Explorer Backup and Emergency Recovery CD. It is also possible to work on the same Mac if you disable System Integrity Protection as described in Unblocking access to macOS drives, but this option is not recommended in view of a high risk of data overwriting. Moreover, data recovery from internal drives cannot be performed on Mac models that employ Apple’s M1 (Apple Silicon) or T2 security chips, please refer to the given article for more information.

Hint: Please rely on the instructions to plug the disk into the motherboard or сonnect the drive externally using a USB to SATA/IDE adapter.

2. Install and launch UFS Explorer Professional Recovery.

Start the program with administrative privileges by entering the correct user/password in the pop-up window. The application will display all the attached drives in the list of connected storages in the left pane. Each physical device will have its logical volumes placed under it.

Hint: If you have any difficulties with the installation of the utility, please refer to the installation manual for UFS Explorer Professional Recovery.

3. Choose the necessary encrypted APFS volume from the list of storages.

Explore the list to find the needed encrypted APFS partition labeled with a yellow padlock icon.

Hint: If you want to learn more about how different drives and volumes are labeled in the interface of UFS Explorer, please refer to Identification of different storages and technologies.

4. Use the decryption tool provided by the software to open the data.

Even though the partition is marked as accessible, the data within it cannot be read until deciphered. Open the volume context menu, select the "Decrypt encrypted storage" option and then choose the "APFS volume decryption" method. Enter the correct user password or copy the recovery key into the field, including all the dashes.

5. Scan the decrypted storage to regain deleted or lost files.

After decryption is completed, the available files will become accessible in the software interface. You can also find the deleted or lost ones by scanning the storage. To run the scan choose the respective tool from the toolbar, unselect all extra file systems excepts APFS and click "Start scan".

Hint: More information about configuring the scan can be found in the instruction on scanning a drive with UFS Explorer.

6. Select the needed recovered items and copy them to another disk.

When the operation is finished off, you can run through the file system restored by the program to find the needed folders and files. To define the ones to be saved click "Define selection", mark them with ticks and click "Save selection". After that, choose a safe destination folder for the rescued items.

Hint: The information provided in Evaluation and saving the results of data recovery may facilitate your work with the obtained folders and files.

Hint: If you are going to save the recovered data to a network storage, please check the provided guide.

The whole procedure is also demonstrated in the following video:

Last update: August 19, 2022

If you liked this article, you can share it on social media: