How do I create an encrypted APFS volume from the command-line?

apfs diskutil

It seems that the volume was created correctly, but hdiutil attach just provides misleading output when you try to mount a disk with an encrypted volume on it. If you use -nomount and then proceed with diskutil commands instead, everything seems to work.

Here's the flow (there may be shortcuts but this is running from a script, so sometimes it detaches and reattaches because that's how the script is organised):

>>> hdiutil create -megabytes 1 -layout GPTSPUD -fs apfs -volname encrypted encrypted.dmg
    created: .../encrypted.dmg

>>> hdiutil attach -nomount encrypted.dmg
    /dev/disk2              GUID_partition_scheme           
    /dev/disk2s1            Apple_APFS                      
    /dev/disk3              EF57347C-0000-11AA-AA11-0030654 
    /dev/disk3s1            41504653-0000-11AA-AA11-0030654 

>>> diskutil mount disk3s1
    Volume encrypted on disk3s1 mounted

>>> diskutil apfs deleteVolume disk3s1
    Started APFS operation
    Deleting APFS Volume from its APFS Container
    Unmounting disk3s1
    Deleting Volume
    Finished APFS operation

>>> diskutil apfs addVolume disk3 APFS encrypted -nomount -stdinpassphrase
    Exporting new encrypted APFS Volume "encrypted" from APFS Container Reference disk3
    Started APFS operation on disk3
    Preparing to add APFS Volume to APFS Container disk3
    Creating APFS Volume
    Created new APFS Volume disk3s1
    Disk from APFS operation: disk3s1
    Finished APFS operation on disk3

>>> hdiutil detach /dev/disk3
    "disk3" unmounted.
    "disk3" ejected.

>>> hdiutil detach /dev/disk2
    "disk2" unmounted.
    "disk2" ejected.

>>> hdiutil attach -nomount encrypted.dmg
    /dev/disk2              GUID_partition_scheme           
    /dev/disk2s1            Apple_APFS                      
    /dev/disk3              EF57347C-0000-11AA-AA11-0030654 
    /dev/disk3s1            41504653-0000-11AA-AA11-0030654 

>>> diskutil apfs unlockVolume disk3s1 -stdinpassphrase
    Unlocking any cryptographic user on APFS Volume disk3s1
    Unlocked and mounted APFS Volume

>>> diskutil mount disk3s1
    Volume encrypted on disk3s1 mounted

>>> hdiutil detach /dev/disk3
    "disk3" unmounted.
    "disk3" ejected.

>>> hdiutil detach /dev/disk2
    "disk2" unmounted.
    "disk2" ejected.

>>> hdiutil attach -nomount encrypted.dmg
    /dev/disk2              GUID_partition_scheme           
    /dev/disk2s1            Apple_APFS                      
    /dev/disk3              EF57347C-0000-11AA-AA11-0030654 
    /dev/disk3s1            41504653-0000-11AA-AA11-0030654 

>>> dd if=/dev/disk3 of=encrypted.img

    1968+0 records in
    1968+0 records out
    1007616 bytes transferred in 0.049776 secs (20242977 bytes/sec)

>>> hdiutil detach /dev/disk3
    "disk3" unmounted.
    "disk3" ejected.

>>> hdiutil detach /dev/disk2
    "disk2" unmounted.
    "disk2" ejected.

Related

Restore Terminal Tabs with Session History
Cannot ping localhost after migrating to new Mac
How do I create a permanent snapshot of a Time Machine backup
Serial number and sound unavailable after taking apart MacBook Air to clean it
Safari Reading List not syncing
Application opens twice when file specified
Should You Honor the Local Pronunciation [closed]
"To bury someone twice" [closed]
Apostrophe on plurals of a word abbreviated with a symbol?
"post offices can provide many of the same services OF banks"
Need a word for "Should not have happened' with a negative context
Capitalization question