How to Bypass a FileVault Password On a Per Boot Basis with Mac OS X

Mar 6, 2015 - 9 Comments

FileVault Using FileVault full disk encryption is one of the better ways to protect your Mac and personal documents from prying eyes and password resets, but if you’re troubleshooting a Mac with FileVault, either your own or someone else’s, it’s kind of annoying to have another layer of passwords necessary to enter before you’ll be able to get in. Additionally, for situations where you’re performing remote management or administration tasks through SSH or Remote Login, if you were to need to reboot the remote Mac to install an OS X update, you wouldn’t be able to enter the necessary FileVault password, right? Well, yes, unless you temporarily bypass FileVault with an authorized restart.


Using Authenticated Restart allows you to bypass entering a FileVault password on a per-boot basis. In other words, it does not disable FileVault for more than the specific reboot, which can be really helpful for remote management purposes.

Issuing an Authenticated Restart requires using the Terminal and the fdesetup command and you will need the admin password. You can always check to see if FileVault is enabled by using a variation of fdesetup as well. Here’s the command to use:

sudo fdesetup authrestart

Once you enter the admin password the Mac will reboot directly from the command line, but rather than a standard sudo shutdown -r command and boot, you’re basically pre-authorizing the restart to bypass FileVault on the next system start.

Do note that not all Macs have this feature and allow temporary FileVault bypass this way, it’s mostly fairly new machines that do. You can check manually with the following command string:

fdesetup supportsauthrestart

If “true” is echoed back, you’re good to go. If it says “false”, you’ll probably want to skip the reboot otherwise the Mac will be unavailable until the FileVault password has been entered manually in person.

According to Apple, the list of Macs that do support FileVault authenticated restart are as follows:

  • MacBook Air (Late 2010) and later
  • MacBook (Late 2009) and later
  • MacBook Pro (Mid 2009) and later
  • Mac mini (Mid 2010) and later
  • iMac (Late 2009) and later
  • Mac Pro (Late 2013)

So the next time you’re doing some remote management, system updates, troubleshooting, or whatever else, keep this in mind.

Do keep in mind this only applies to FileVault security, there is no way to remotely bypass a hardware-based firmware password that has been set on a Mac.

Heads up to LifeHacker for the excellent tip find.

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Related articles:

Posted by: Paul Horowitz in Command Line, Mac OS X, Tips & Tricks

9 Comments

» Comments RSS Feed

  1. yyzguy says:

    Is it really “bypassing” filevault, or more likely, storing and using the credentials for the next boot, and then (hopefully), clearing the stored credentials.

    • gihe says:

      Yes, exactly. As described. Bypass Filevault on the next boot, Filevault stops storing the credentials temporarily after that.

  2. MacMedix says:

    Doesn’t seem to work on OSX 10.8.5 Mtn Lion; Mac Mini Late 2012. (FileVault not in use on this Mac, so I’m guessing wrong OSX)

    ~ root# fdesetup supportsauthrestart
    Error: You must provide an action. Use ‘fdesetup help’ for help, or use the man page.
    ~ root# fdesetup status
    No conversion in progress
    ~ root# fdesetup version
    fdesetup: Version 1.35

  3. kazuba says:

    Helpful for remote troubleshooting great tip

  4. Kavinz says:

    Testing out this trick from ssh worked just fine

  5. Rudi says:

    Security hole?!

  6. Fei says:

    how to make this permanent?
    Due to power failure?

Leave a Reply

 

Shop for Apple & Mac Deals on Amazon.com

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates