Using Firmware passwords with FileVault 2-encrypted Macs

While I was giving my FileVault 2 talk at Jamf’s 2011 National User Conference, a question came up at the end with regards to using firmware passwords with FileVault 2-encrypted machines. This isn’t something I tested, so I admitted I hadn’t tested it and didn’t know. However, some of the Mac support folks at Sandia National Laboratories were also attending my talk and they had tested this very scenario. Here’s my notes on what they had found:

—-

When the firmware password is set, you will need to enter the firmware password before being able to boot to the Recovery HD partition or any other drive that weren’t selected as a startup volume in Startup Disk.

If booting to your FileVault 2-encrypted boot drive, you should be taken to the pre-boot login screen as normal. You should only need to authenticate at the pre-boot login screen and you will not be asked for the firmware password.

—-

I was able to test this on my own end and my results bear this out. If you have the firmware password set and you hold down Command-R to boot from Recovery HD, you’ll be asked for the firmware password before the Mac will boot from Recovery HD. You will also be asked for the the firmware password if you’re using any of the options described as blocked in this KBase article on setting up the firmware password. You are not asked for the firmware password if you are booting from a FileVault 2-encrypted boot drive.