Home > FileVault 2, Mac administration, Mac OS X > Yosemite System Preferences issue when enabling FileVault 2 with an institutional recovery key

Yosemite System Preferences issue when enabling FileVault 2 with an institutional recovery key

In 10.10.0 and 10.10.1, I’ve noticed an issue when enabling FileVault 2 via System Preferences when using an institutional recovery key.

In Mavericks and earlier versions of OS X, the behavior of System Preferences looked like this:

  1. Click the lock to unlock the FileVault preference pane
  2. Click the Turn on FileVault… button
  3. A list of users that can be enabled for FileVault 2 is displayed. The logged-in user account is marked with the green checkbox that shows that the account is enabled.
  4. A message is displayed that a recovery key has been set by a company, school or institution.
  5. A message prompting the user to restart is displayed.
  6. Once the Restart button has been clicked, the FileVault 2 initialization process continues and restarts the Mac.
  7. The Mac restarts to the FileVault 2 pre-boot login screen.

To illustrate, I’ve made a video showing the described behavior.

In Yosemite 10.10.0 and 10.10.1, the behavior of System Preferences looks like this:

  1. Click the lock to unlock the FileVault preference pane
  2. Click the Turn on FileVault… button
  3. A message is displayed that a recovery key has been set by a company, school or institution.
  4. System Preferences then displays no additional messages and will appear to hang for up to two minutes.
  5. The Mac restarts without further input from the user.
  6. The Mac restarts to the FileVault 2 pre-boot login screen.

To illustrate, I’ve made a video showing the described behavior.

As Yosemite’s current behavior is different and omits several steps that were present in previous versions of OS X, I believe this is a bug in Yosemite instead of intended behavior.

To help get it fixed, I’ve filed a bug report. For those interested in duping it, it’s bug ID 19124344.

For those interested in the details, I’ve also posted the bug report to Open Radar:

http://openradar.appspot.com/19124344

  1. December 3, 2014 at 8:02 am

    Thanks for the heads up! Does the FileVault process work ok apart from this? I always get nervous around disk encryption given its ability to totally brick machines!

    • December 3, 2014 at 1:25 pm

      In my testing, the FileVault process works fine. The important thing is to leave System Preferences alone while it appears to be hanging. Don’t close System Preferences, force quit it or hit the “Turn on FileVault…” button again. That may cause FileVault’s initialization to get messed up and that will cause problems.

  2. December 3, 2014 at 4:37 pm

    billt,

    It’s possible, but it’s also possible that the volume damage occurred earlier and it’s just now being reported because you had Disk Utility check out the disk. Without information on the state of the disk before encryption was enabled, I can’t say for certain.

    • December 3, 2014 at 6:17 pm

      True. So I gathered information on the state of the disk pre-encryption. And I can reproduce this on known-healthy disks (i.e., systems with a clean OS install on which diskutil reports no problems). Before- and after-encryption comparison shows that diskutil reports a healthy disk before encrypting and a corrupted disk afterwards. If I repair the disk (returning the system to a state where diskutil reports an ‘OK’ drive), then later try to enable FileVault again, I’m back to a state where diskutil reports corruption.

      Before trying to enable FileVault: diskutil verifyVolume /Volumes/OS\ X\ Base\ System
      The volume OS X Base System appears to be OK
      File system check exit code is 0
      Finished file system verification on disk1s2 OS X Base System

      Before trying to enable FileVault: diskutil verifyVolume /Volumes/Macintosh\ HD
      The volume Macintosh HD appears to be OK
      File system check exit code is 0
      Finished file system verification on disk0s2 Macintosh HD

      After trying to enable FileVault: diskutil verifyVolume /Volumes/OS\ X\ Base\ System
      The volume OS X Base System appears to be OK
      File system check exit code is 0
      Finished file system verification on disk1s2 OS X Base System

      After trying to enable FileVault: diskutil verifyVolume /Volumes/Macintosh\ HD
      Volume header needs minor repair
      The volume Macintosh HD was found corrupt and needs to be repaired
      File system check exit code is 8
      Error: -69845: File system verify or repair failed
      Underlying error: 8: POSIX reports: Exec format error

  3. Steve Summers
    December 15, 2014 at 5:20 pm

    Hey Rich,
    Thanks for the article. Any thoughts or idea about bad things happening (as it relates to the HD encryption) if going from ML to Yosemite on machines with FV enabled using Institutional Keys? Anything special to do so Capser is happy with the move and the machine shows up properly as having an encrypted drive w/a proper key?
    Thanks

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: