How to Bypass a FileVault Password On a Per Boot Basis with Mac OS X
Using FileVault full disk encryption is one of the better ways to protect your Mac and personal documents from prying eyes and password resets, but if you’re troubleshooting a Mac with FileVault, either your own or someone else’s, it’s kind of annoying to have another layer of passwords necessary to enter before you’ll be able to get in. Additionally, for situations where you’re performing remote management or administration tasks through SSH or Remote Login, if you were to need to reboot the remote Mac to install an OS X update, you wouldn’t be able to enter the necessary FileVault password, right? Well, yes, unless you temporarily bypass FileVault with an authorized restart.
Using Authenticated Restart allows you to bypass entering a FileVault password on a per-boot basis. In other words, it does not disable FileVault for more than the specific reboot, which can be really helpful for remote management purposes.
Issuing an Authenticated Restart requires using the Terminal and the fdesetup command and you will need the admin password. You can always check to see if FileVault is enabled by using a variation of fdesetup as well. Here’s the command to use:
sudo fdesetup authrestart
Once you enter the admin password the Mac will reboot directly from the command line, but rather than a standard sudo shutdown -r command and boot, you’re basically pre-authorizing the restart to bypass FileVault on the next system start.
Do note that not all Macs have this feature and allow temporary FileVault bypass this way, it’s mostly fairly new machines that do. You can check manually with the following command string:
If “true” is echoed back, you’re good to go. If it says “false”, you’ll probably want to skip the reboot otherwise the Mac will be unavailable until the FileVault password has been entered manually in person.
According to Apple, the list of Macs that do support FileVault authenticated restart are as follows:
- MacBook Air (Late 2010) and later
- MacBook (Late 2009) and later
- MacBook Pro (Mid 2009) and later
- Mac mini (Mid 2010) and later
- iMac (Late 2009) and later
- Mac Pro (Late 2013)
So the next time you’re doing some remote management, system updates, troubleshooting, or whatever else, keep this in mind.
Do keep in mind this only applies to FileVault security, there is no way to remotely bypass a hardware-based firmware password that has been set on a Mac.
Heads up to LifeHacker for the excellent tip find.