Home > FileVault 2, Mac administration, Mac OS X > Upgrading your FileVault 2 encrypted Mac to Mavericks

Upgrading your FileVault 2 encrypted Mac to Mavericks

One great thing about using FileVault 2 to encrypt your Mac is that Apple’s OS installers are aware of how to work with a FileVault 2-encrypted Mac. For example, you can upgrade from OS X 10.8.5 to OS X 10.9.0 on a FileVault 2-encrypted Mac using the same process that you would use on an unencrypted Mac.

Since this is a process that’s more easily shown than explained, I’ve made a three minute video showing the process as I saw it.

Here’s the procedure I used:

  • Logged into my FileVault 2 encrypted Mac
  • Verified that I was on 10.8.5 and encrypted
  • Launched Install OS X Mavericks.app
  • Authenticated when requested
  • Selected my boot drive and let it proceed with the upgrade
  • The upgrade process restarted the Mac
  • After the upgrade process finished, the Mac restarted
  • The upgrade process finished
  • I clicked the buttons to skip the Apple ID setup
  • I then verified that I was now on 10.9.0 and still encrypted

Note: The video has been edited to artificially reduce the amount of time the installer takes to run. Run time of the pre-edited video was 50 minutes.

Did you notice that something was missing from this upgrade procedure?

Screen Shot 2013-10-25 at 9.57.14 PM

I was never asked to log in at the FileVault 2 pre boot login screen. Why?

During the upgrade process, an unlock key is being put into the SMC by the Mavericks installer to unlock the encrypted volume at boot. The reboot process then automatically clears the key from the SMC. This process is similar to how fdesetup authrestart works, except that the user is not being prompted to authorize it.

This behavior is convenient, but it’s something that the user should be asked specifically to authorize. As part of that, I’d previously filed a bug report with Apple at bugreport.apple.com about this behavior. If you want to also file a bug report on this, please reference the following bug ID when submitting your report:


I’ve got the details of my bug report posted at Open Radar:

  1. October 28, 2013 at 2:25 pm

    Thanks, Rich. I also filed this during the DP releases. I never got a response or even got it marked as a duplicate of yours. My guess is an exec made a decision and that’s all she wrote about this. I agree with you that is horrible behavior and they shouldn’t have done this by default.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: