Do I need to decrypt the hard drive before repair?

macos filevault encryption repair

Today I left my MBP Retina at local authorised Apple service (it's a mid 2012 model, and it's having some gfx issues), and then I got an email telling me that I have to go back there and decrypt my hard drive, because they can't test if it qualifies for the free repair program.

If I will have to do it, then what should I do before giving them my laptop back (is just disabling keychain and deleting important files ok)?

Why do they need me to decrypt the whole disk? Isn't it just the hardware thing?


You should have to remove an EFI password or permit them to reset that since it prevents Service Providers from network booting to diagnostic images or selecting an attached bootable volume to run test software.

You don't need to decrypt FileVault 2 in any service I've ever seen unless you want them to log in to your user account and look at your software. With physical access they can wipe a drive, make a clone/copy of it, but encryption is your way to protect the contents of the files reasonably well without impacting service testing.

My guess is that the person communicating with you mis-spoke or mis-understood the notes from the technician and if you call them back (or have AppleCare update the case notes and alert the technician), they can confirm if you have EFI locked firmware password set.

Apple documents this in the repair terms and conditions both online and you should have received them before signing the machine in for service.

Technically, they could wipe your drive and reset all passwords per the terms, but generally they give you a courtesy notice before doing so intentionally.

See: https://support.apple.com/en-us/HT203253

Despite my generally trusting Apple repair employees, I would not give a machine password to an AASP until I had a very good understanding of who in that organization would have access to it, how it would be protected and when it would be destroyed. As to an iCloud password, the bar for yielding that is far, far, far higher bordering on almost never ever.


That indeed sounds very strange. Keep in mind that there can also be stores which only fake their licenese and aren't real service providers.

If you want to be sure, look up here: https://locate.apple.com/ | There you can search for official Apple Authorized Resellers.

You also could contact Apple-Support and ask them: https://support.apple.com/en-us/HT201232


Repair centers generally need to boot your device. They do NOT need to access your account.

  • You will need to remove an EFI password if there is one

  • If you use filevault just create a separate account for them. Something obvious like "AppleService" with "password" and delete it when they are done. It does not need to be an admin account unless you took it in for software issues.

  • If they say they need admin access, ask for specifics. Push back on platitudes like "we need it to complete the service". Program name, settings etc.

  • Tell them to boot from an external. All Macs can do this, any service center that doesn't have a bootable external is borderline incompetent.

  • Remove the drive and tell them to boot from an external. How practical this is depends on the model and your screwdriver skills. Service centers do NOT need an internal drive unless you are sending it in for a drive or software issue. This option may have consequences for your warranty.

I have returned a couple of machines without the drive, the service center said absolutely nothing about it.

Related

OS X Internet Recovery Globe stuck
A way to test System Integrity Protection SIP (NOT about how to enable/disable)?
Can one MacBook charge another over USB-C?
I removed the passcode from my iPhone before repair, has my data been compromized?
What affects the colour of the Startup Screen?
Generating combinations in c++
How does XOR variable swapping work?
Read all worksheets in an Excel workbook into an R list with data.frames
How do I create 7-Zip archives with .NET?
Datatype for storing ip address in SQL Server
filters on ng-model in an input
Animate element to auto height with jQuery