Home > FileVault 2, Mac administration, Mac OS X > fdesetup authrestart – FileVault 2’s one-time encryption bypass feature

fdesetup authrestart – FileVault 2’s one-time encryption bypass feature

OS X 10.8.2 included one important change to Apple’s fdesetup FileVault 2 management tool. fdesetup now has the authrestart verb, which allows a FileVault 2-encrypted Mac to restart and bypass the FileVault 2 pre-boot login screen. Instead, the Mac reboots as a unlocked system and goes straight to the regular login window.

When you run the fdesetup authrestart command, it asks for a password or recovery key. The password must be an account that has been enabled for FileVault 2 (i.e. an account that shows up at the FV2 pre-boot login screen.) After that, it puts an unlock key in system memory and reboots. On reboot, the reboot process automatically clears the unlock key from memory.

To show what this looks like, I’ve made a short video showing the process


Note: The video has been edited to artificially reduce the amount of time needed for the process. Run time of the pre-edited video was 4 minutes.

  1. October 2, 2012 at 2:23 pm

    Nice new feature, but I don’t get it – for which situation should this be helpful?

    • Maurits
      October 8, 2012 at 8:12 pm

      And for installers that require post-reboot steps (i.e. DeployStudio)

  2. Taylor.Armstrong
    October 4, 2012 at 7:54 pm

    Replying to Marcel: If you are doing after-hours maintenance on a number of machines, and would like to have them actually reboot into the OS vs. having them all stuck on the pre-boot screen (at which point you will have no remote access to them whatsoever).

  3. Andrew
    February 6, 2013 at 4:02 pm

    Thanks for this tip Rich. This helps out if you do network profiles (AD or OD accounts) and want to have them log in, rather than a local account. Previously, if you don’t use this solution, you would have to login as one of the local accounts, then log out to the get the Name and password prompt(if that is your choice – it is for us and more secure environments) as opposed to list of users.

  4. Dinesh
    February 17, 2013 at 2:26 pm

    getting below error
    lolluprasad:~ lollu$ fdesetup authrestart
    Error: You must provide an action. Use ‘fdesetup help’ for help, or use the man page.

  5. Matt Willmore
    February 20, 2013 at 4:05 am

    Something I discovered today: this will error out if you attempt it on a Mac that is still encrypting; wait for the encryption to finish, then it should work as expected.

  6. May 9, 2013 at 8:38 pm

    authrestart is dependent on the OS being 10.8.2+ and is also hardware dependent. Tested it on 3 different platforms and one virtualized machine. Only an iMac12,1 and virtualized system both on 10.8.3 worked.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 154 other followers

%d bloggers like this: