Standard user accounts in OS X 10.8.4 now blocked from decrypting FileVault 2-encrypted Macs
One of the changes noted in Apple’s security notes about 10.8.4 and Security Update 2013-002 was this section:
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: A local user may disable FileVault
Description: A local user who is not an administrator may disable FileVault using the command-line. This issue was addressed by adding additional authentication.
In short, this helps address an issue that has vexed various Mac admins since 10.7.0: If you have a FileVault 2-enabled account, you can decrypt the encryption from the command line using your account’s password.
With 10.8.4, the command-line diskutil tool has now been updated to request an administrator’s login and password before allowing decryption to proceed.
Administrators are also prompted, but can supply their account’s username and password to start the decryption process.