APFS: Command tools

APFS has extensive support in the tools bundled in macOS. Its GUI app Disk Utility provides regular users with fairly comprehensive features, although some of them have been plagued by bugs, such as that making some attempts to run First Aid on APFS volumes and containers fail because they haven’t been unmounted by Disk Utility. As there’s no third-party substitute, it’s not possible to compare results obtained by Disk Utility against those of a competitor.

This article instead concentrates on Apple’s command tools, starting with its checking and repair. Some of these commands may require elevated privileges using sudo; because that isn’t easy to predict, I only add that as a preface where I believe it’s always required.

Check and repair with `fsck_apfs`

First Aid in Disk Utility relies on running the command tool fsck_apfs, but only provides fixed options. If you want more flexibility, use the command directly in Terminal. You first need to identify the device name of the volume to be checked, such as disk3s1, and discover whether it’s encrypted. Unlock an encrypted volume without mounting it using a command like
diskutil apfs unlockVolume /dev/disk7s2 -nomount
Other volumes and containers should be unmounted first using diskutil unmount followed by their device name.

fsck_apfs has valuable options, including:

-S : to skip checking of snapshots
-n : to check but not to repair
-y : to attempt to repair all errors found
-q : to perform a quick check to verify whether the superblock and checkpoint superblock are valid.

Typical commands used include:

sudo fsck_apfs -n /dev/disk7s2 just to check the volume disk7s2 but not repair it, including its snapshots.
sudo fsck_apfs -y /dev/disk7s2 to check and repair all errors automatically, including its snapshots.
sudo fsck_apfs -n -S /dev/disk7s2 to check but not repair, excluding all snapshots.
sudo fsck_apfs -n -S /dev/disk7 to check but not repair the container disk7, excluding all snapshots.

Apple has consistently advised that checks and repairs should be performed in the order volumes, containers, then disks, although in other file systems the reverse is more usual.

Get information with `diskutil`

For those content with using Disk Utility to create and maintain APFS containers and volumes, diskutil still has commands that can be of great value in obtaining information about the file system. These include:

diskutil list : provides a short summary, useful for discovering device identifiers
diskutil info -all : provides a full listing with extensive information
diskutil apfs list : provides a full listing of APFS container and volumes
diskutil apfs listVolumeGroups : lists all mounted volume groups
diskutil apfs listUsers / : lists cryptographic (Secure Token) users for the current boot volume group.

Main tools in `diskutil`

diskutil apfs provides an extensive range of verbs for working with APFS. Detailing them all here is neither feasible, nor can it keep pace with changes. As the man page, informative though it is, also falls out of date, usage information should be obtained using
diskutil apfs [verb]
for any verb that the user is unfamiliar with. A full listing of verbs is available with diskutil apfs, and currently includes:

list : shows the status of all current containers (see above)
listUsers : lists cryptographic users/keys of a volume (see above)
listSnapshots : lists snapshots in a mounted volume
listVolumeGroups : lists all current volume group relationships (see above)
convert : nondestructively converts from HFS+ to APFS
create : creates a new container with a single volume
createContainer : creates a new empty container
deleteContainer : deletes a container and frees or reformats disks
resizeContainer : resizes a container and its disk space usage
addVolume : adds a new volume to a container
deleteVolume : removes a volume from its container
deleteVolumeGroup : removes a volume group from its container
eraseVolume : erases the contents of, but keeps, a volume
changeVolumeRole : changes the Role metadata flags of a volume (see below)
unlockVolume : unlocks a locked and encrypted volume
lockVolume : locks an encrypted volume
changePassphrase : changes the passphrase of a cryptographic user
setPassphraseHint : sets or clears the passphrase hint of a cryptographic user
encryptVolume : enables FileVault encryption
decryptVolume : disables FileVault encryption
deleteSnapshot : remove a snapshot from a volume
defragment : arms or checks status or begins defragmentation
updatePreboot : updates a volume’s related Preboot volume (see below)
syncPatchUsers : copy a volume group’s crypto users in System-to-Data role (see below).

diskutil apfs changeVolumeRole takes arguments for the volume device (e.g. disk5s1) and one or more letters specifying the role. Roles are given as:

clear : to clear all roles
lower case letters b|r|v|i|t|s|d|e|x|h|c|y to clear that role
upper case letters B|R|V|I|T|S|D|E|X|H|C|Y to set that role

Ownership of the specified volume is required for this to work. Roles supported include B (Preboot), Recovery, VM, Installer, T (Time Machine backup store), System, Data, E (Update), XART, Hardware, C (Sidecar, Time Machine), and Y (Enterprise, data).

diskutil apfs updatePreboot takes an argument for the volume device (e.g. disk5s1) with further options given in its usage information. This will “examine the given APFS Volume for macOS and Open Directory (OD) database files, correlate the Volume’s APFS crypto users with OD users, and update the related Preboot Role Volume’s Subject Directory with data such as EFI login graphics. Specifying “/” for its overrideODFullPath option will use /var/db/dslocal/nodes/Default. No crypto passdata is needed, but ownership of the affected disks is required.”

diskutil apfs syncPatchUsers takes an argument for the volume device (e.g. disk5s1). This “expects the given APFS Volume to have a System role, be a member of an APFS Volume Group which also contains a Data role sibling Volume, and be a macOS installation with zero or more APFS Crypto Users. All APFS Crypto user unlock key data records are duplicated from the System to the Data role volume. You can use this verb to recover from certain rare circumstances. No crypto passdata is needed, but ownership of the affected disks is required.”

Apple doesn’t explain any further what those “rare circumstances” might be.

Unlock FileVault Data volume with `apfs_unlockfv`

In addition to diskutil apfs unlockVolume, this separate command can be used to unlock an encrypted FileVault data volume using a password. If a path is given as its argument, it will try to unlock the volume containing that path in a mounted Data volume. The option -W given before the path will try to unlock using an empty password. If no path is given, then it will try to unlock the Data volume for the current root file system.

Convert HFS+ file system to APFS with `apfs_hfs_convert`

Apple recommends that HFS+ volumes are converted to APFS using diskutil apfs convert where possible, but this command provides a more extensive range of options, including:

-D : convert all former and current directory hard links to files/aliases
-e : estimate the size of apfs metadata
-v : enable verbose output
-s : force the APFS volume to be case-sensitive
-n : don’t finalize conversion (dry run), leaving the volume in HFS+
-f : force conversion if the volume is dirty.

Further options are given in its usage information.

Mount an APFS volume with `mount_apfs`

mount_apfs is an alternative to diskutil mount that mounts a volume, offering a wider range of options, including:

-u : specifies a UID
-s : for a snapshot
-P [file] : for an im4p file
-M [file] : for an im4m file.

Further options are given in its usage information.

Construct a new APFS volume with `newfs_apfs`

newfs_apfs is an alternative to diskutil apfs addVolume to construct a new volume, offering a wider range of options, including:

-r : to specify a volume reserve
-q : to specify a volume quota
-U : to specify a uid
-G : to specify a gid
-F [fusion] : for a Fusion Drive
-R : to specify one or more roles for the volume.

Further options are given in its usage information.

I will be delighted to add relevant usage information for any other APFS command tools available in release versions of macOS Sonoma.

Articles in this series

1. Files and clones
2. Directories and names
3. Containers and volumes
4. Snapshots
5. Encryption and sealing
6. Special file types

References

Apple’s APFS Reference (PDF), last revised 22 June 2020.

13Comments

Add yours

1

Claude on April 22, 2024 at 8:01 am

Other useful commands are located here :

/System/Library/Filesystems/apfs.fs/Contents/Resources

LikeLiked by 2 people
- 2
  
  hoakley on April 22, 2024 at 8:10 am
  
  Thank you. Yes, I’m well aware of the existence of other tools there.
  However, I’m unable to identify any of them that qualify as being “useful”, in the sense that there’s any usable documentation for them, that they don’t duplicate other higher-level tools that are documented, and they have some recognisable purpose for the user.
  If you can provide details of any exceptions, then I’m keen to include it/them here.
  Howard.
  
  LikeLiked by 1 person
  - 3
    
    Raoul on April 22, 2024 at 9:00 am
    
    Would really like to know what Apple ha(s|d) in mind for the Enterprise / Y roles.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on April 22, 2024 at 11:15 am
      
      Well, according to the APFS reference, this is for corporate managed data on iOS (and presumably iPadOS too). Unfortunately it links to a document about corporate managed data that doesn’t appear to refer to volume roles! It also might be used in addition to the Data role flag, rather than instead of it.
      Does that help at all?
      Howard.
      
      LikeLike
  - 5
    
    ninjaturtle45 on April 22, 2024 at 3:28 pm
    
    apfs_systemsnapshot is genuinely useful for those who want to disable Signed/Sealed System Volume. You can even create custom-named snapshots to use. Sure, “bless” can also be used, but it seems to be a much more complex tool for the same task.
    
    apfs_util also seems to have some interesting options, including the supposed ability to roll back to an APFS snapshot (the -R argument). Unfortunately in my testing it never worked, but perhaps SIP has to be disabled for that. Strangely enough Time Machine System Restore in macOS Recovery works perfectly fine for rolling back snapshots.
    
    LikeLiked by 1 person
    - 6
      
      hoakley on April 22, 2024 at 8:41 pm
      
      Thank you. Yes, I’m sure that a few would like to create their own system volumes on snapshots, but I think that’s well beyond the scope of these articles. I also think that you’re referring to apfs.util rather than apfs_util.
      Howard.
      
      LikeLike
7

Duncan on April 22, 2024 at 1:57 pm

It’s interesting that they went through the trouble to create a command to construct a Fusion drive, given that APFS isn’t suitable for spinning disks.

LikeLiked by 2 people
- 8
  
  hoakley on April 22, 2024 at 8:38 pm
  
  When APFS was released in High Sierra, it supported boot disks on hard disks and SSDs, but not Fusion Drives. Support for those was pulled at the last minute because of serious problems. Fusion Drives weren’t supported as APFS boot disks until the release of Mojave, a year later. There are still plenty of iMacs running APFS on Fusion Drives.
  Howard.
  
  LikeLiked by 1 person
  - 9
    
    joethewalrus on April 24, 2024 at 7:00 am
    
    While I’ll agree that APFS isn’t suitable for spinning disks, someone at Apple must disagree, as commanding Finder to encrypt a USB HDD formatted as HFS+ will convert the disk to APFS without user notification in Sonoma (and perhaps earlier recent versions of macOS). I have an old MacBook with High Sierra that I use whenever I want to encrypt a USB HDD to avoid this annoyance.
    
    I’m curious how prone a Fusion drive is to the same fragmentation issues that plain HDDs develop. I read early on that Fusion drives in APFS would perform better than CoreStorage Fusion, as APFS was expected to prioritize for solid state frequently accessed data at the block or sector* level rather than at the file level as CoreStorage was reported to do. In practice I don’t know if this is the case, and I haven’t seen anything authoritative written on the subject since the early reports in the High Sierra days. I have a dual SATA enclosure in which I’ve synthesized an APFS Fusion drive, and I’m wondering if I’d be best served to reformat it in HFS+ using CoreStorage before it encounters any heavy use.
    
    LikeLiked by 1 person
    - 10
      
      joethewalrus on April 24, 2024 at 7:09 am
      
      *That asterisk was where, before I forgot to do so, I intended to say I’m not sure if blocks or sectors is the correct terminology for SSD.
      
      LikeLiked by 1 person
    - 11
      
      hoakley on April 24, 2024 at 11:18 am
      
      That makes me wonder whether macOS has dropped support for creating encrypted HFS+ volumes. That wouldn’t surprise me, as encryption was a late add-on to HFS+ and has never been that good, or secure. It was built into APFS from its conception, and of course in its FileVault form supports hardware encryption when used on internal storage.
      I’ll be writing more about Fusion Drives later this week, but I don’t recommend them, either Apple’s original Fusion Drives, or synthetic versions. I’ll explain in more detail in that article.
      Howard.
      
      LikeLiked by 1 person
    - 12
      
      joethewalrus on April 24, 2024 at 5:13 pm
      
      I’m looking forward to that article. I synthesized one years ago as soon as the tech was available, adding a 120 GB SSD to the 750 GB HDD that was preinstalled in my 2011 Mac Mini, and it breathed a new life into the computer that kept it my daily driver up until Apple announced the 2018 Mini. I am aware of some of the basic risks, multiplying the probability of drive failure leading to dataloss, etc, but based on my personal experience it’s hard for me not to recommend Fusion. Of course, with those risks and the ubiquity of solid state now, I suppose it is time to move on.
      
      LikeLiked by 1 person
    - 13
      
      hoakley on April 24, 2024 at 8:53 pm
      
      The article should appear on Friday morning.
      Howard.
      
      LikeLiked by 1 person

Check and repair with fsck_apfs

Get information with diskutil

Main tools in diskutil

Unlock FileVault Data volume with apfs_unlockfv

Convert HFS+ file system to APFS with apfs_hfs_convert

Mount an APFS volume with mount_apfs

Construct a new APFS volume with newfs_apfs

Articles in this series

References

Share this:

Related

Check and repair with `fsck_apfs`

Get information with `diskutil`

Main tools in `diskutil`

Unlock FileVault Data volume with `apfs_unlockfv`

Convert HFS+ file system to APFS with `apfs_hfs_convert`

Mount an APFS volume with `mount_apfs`

Construct a new APFS volume with `newfs_apfs`