Home > FileVault 2, Mac administration, Mac OS X > Enabling FileVault 2 pre-boot login screen functions from the command line

Enabling FileVault 2 pre-boot login screen functions from the command line

There’s a couple of functions that you can enable on your Mac that will show up at the FileVault 2 pre-boot login screen. The two functions that I’m familiar with are the keyboard input menu and a text-only login banner.

On an FileVault 2-encrypted Mac, you can go into System Preferences and enable these functions. At the next restart, they should show up at the FileVault 2 pre-boot login screen. However, if these functions were enabled using the defaults command, they may show up at the regular login window, but not FileVault 2’s login screen.

Screen Shot 2013-06-18 at 1.01.01 PM

Screen Shot 2013-06-18 at 12.57.48 PM

The answer seems to be that, in addition to running the defaults commands, you also need to remove certain cache filenames ending in .efires from /System/Library/Caches/com.apple.corestorage/EFILoginLocalizations. Clearing the filename.efires cache files forces the system to update the FileVault 2 pre-boot login screen. Whether this update happens right away or when the system reboots is not yet clear; if you know, please let me know in the comments.

For example, running the following commands with root privileges updates the FileVault 2 pre-boot login screen with both the keyboard input menu and a login banner:


defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "My Login Window Text Goes Here"
defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool TRUE
rm /System/Library/Caches/com.apple.corestorage/EFILoginLocalizations/*.efires

On restart, the FileVault 2 pre-boot login screen should look like this, with keyboard input and login text (highlighted in red) now showing.

Screen Shot 2013-06-18 at 1.03.40 PM

To remove these, you would need to boot back into the OS and run the following commands:


defaults delete /Library/Preferences/com.apple.loginwindow LoginwindowText
defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool FALSE
rm /System/Library/Caches/com.apple.corestorage/EFILoginLocalizations/*.efires

On restart, the FileVault 2 pre-boot login screen should no longer have either a keyboard input menu or a login banner.

Screen Shot 2013-06-18 at 12.57.48 PM

Hat tip to Josh Schripsema for figuring out that the .efires cache files need to be removed to force the refresh.

  1. June 19, 2013 at 8:48 pm

    Thanks Rich your blog is always insightful.

  2. June 24, 2013 at 5:16 pm

    Rich, the Apple recommended way to synchronize the EFI LoginWindow is via the following command:
    sudo touch /System/Library/PrivateFrameworks/EFILogin.framework/Resources/EFIResourceBuilder.bundle/Contents/Resources

    When you do so you’ll see the following log entries:
    Jun 24 13:06:09 mbp-boylan.local com.apple.kextcache[29098]: / locked; waiting for lock.
    Jun 24 13:06:09 mbp-boylan.local efilogin-helper[29099]: targetVolume: /
    Jun 24 13:06:09 mbp-boylan.local efilogin-helper[29099]: **** WARNING: cannot find showInputMenu key assumining NO
    Jun 24 13:06:14 mbp-boylan.local fseventsd[64]: Logging disabled completely for device:1: /Volumes/Recovery HD
    Jun 24 13:06:14 mbp-boylan.local com.apple.kextcache[29098]: Lock acquired; proceeding.
    Jun 24 13:06:14 mbp-boylan.local com.apple.kextcache[29098]: /: helper partitions appear up to date.

    The last entry will change slightly if you’ve actually made changes since the last synchronization.

  3. cashxx
    July 2, 2013 at 12:35 am

    I am lost with one thing on FileVault 2. We want to enable FileVault 2 here, but from my understanding is the only users that can get pass the preboot screen are local users. We use Active Directory here and users login and get a temporary Home Directory that is removed on logout. Am I unable to use FileVault 2 because of this, am I understanding everything correctly?

    On Windows the admins are looking to turn it on and it seems like the user decrypts on login at the ctrl+alt+delete screen if it was described to me correctly. But on OS X in order to boot you have to login and only with a local account it seems, which makes more sense to me than Windows is doing. Just trying to understand……

    • July 2, 2013 at 12:51 am

      FileVault 2 works with both local user accounts and mobile network accounts, where the network account has cached account credentials and a local home folder on the machine.

      Since you’re deleting the home directory on logout, FileVault 2 won’t work with your current setup.

      That said, since you’re deleting the user’s home directory on logout, why do you need encryption? It sounds like all of the users’ data is automatically removed from your machines, so there should be little remaining that would need to be protected.

  4. Chris
    January 15, 2014 at 2:35 pm

    Nice how-to! Thx!

    Is it possible with a defaults write to change the EFI login from “List of users”-style to “Name and password” like the standard login? With “List of users” the users names are revealed who are able to unlock the drive.

  5. cxorc
    June 27, 2014 at 2:34 pm

    Hi! I have the same question as Chris….

  6. Ra
    August 10, 2014 at 12:20 pm

    Hey. Same here. Is there an key/value pair for the .plist that changes EFI login to “Name and password” like the standard login?

  7. Kev
    December 16, 2015 at 8:50 pm

    Is there a way to change the background picture or the apple logo?

    • Chris
      December 16, 2015 at 9:23 pm

      Try /Library/Caches/com.apple.desktop.admin.png

  8. Dan
    June 1, 2016 at 3:04 pm

    Can anyone confirm that this works on 10.11 El Capitan? I am running into the error:

    defaults[1271:9115] Unexpected argument of; leaving defaults unchanged.

  9. March 9, 2017 at 3:30 pm

    Any chance to change the FV login screen resolution? It’s pretty unpleasant to have the FV login screen somehow low-res and then entering your profile to switch to high-res.
    R

  10. Haroon
    May 10, 2017 at 8:13 am

    Thanks. I followed your other post about this but was not having success. Once deleting the cache files things worked as expected. One annoyance though is that, at least in Sierra, the text is so light that it is barely visible.

  11. Jacob Self
    May 20, 2017 at 3:10 pm

    I bought in iMac from someone on Craigslist – when I boot it up, it does to the first image you showed in this post. I guess I’m not exactly sure how to get around that?

    • Malcolm
      May 27, 2017 at 10:55 pm

      There’s a pretty good chance the machine you bought was stolen.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: