How to change an encrypted volume's password in OS X
While encrypting and decrypting a volume can be done on the fly, the option for changing its password is a bit hidden.
With data security being an all-too-common concern, the options for encrypting data in OS X are welcome additions that are quite easy to implement. While you can store files in an encrypted disk image, you can also use FileVault to encrypt your boot drive. Furthermore, you canby right-clicking it and choosing the option to do so, or by using the Terminal.
These features are convenient, but if you wish to change the password for an encrypted drive, you will find that this feature is not available along with the options for encrypting. You can change a password by first decrypting the volume and then encrypting it again, but this will take a while for drives with large numbers of files on them.
Changing a password for an encrypted volume can be done without having to wait for it to decrypt and then encrypt again. This can be done in two ways:
- Disk Utility
Open the Disk Utility program in the Applications > Utilities folder, and then select your encrypted volume in the sidebar. Then go to the File menu and choose "Change Password," and you should be presented with a standard new password prompt that requests that you enter the old password and then the new password twice, and provide an optional password hint.
- The Terminal
As with most disk management operations, changing the encrypted disk's password can also be done using Terminal commands, for if you only have access to a system via SSH or Single User mode. To do this, first open the Terminal and get a listing of the encrypted disk devices by running the following command:
diskutil cs list
The output of this command will look like a hierarchical tree that shows the physical drives involved, the logical volume family created from these drives, and then the logical volumes themselves that are on these drives. Each of these items will have a corresponding UUID associated with it. Locate the UUID next to the "Logical Volume" (not the Logical Volume Group) for the encrypted drive. You can use the mouse to highlight it and then press Command-C to copy it, and then use it in place of "UUID" in the following command (all on one line):
diskutil cs passwd UUID -oldpassphrase OLDPASS -newpassphrase NEWPASS
When this command is executed, the volume will now have the new passphrase.