How to Bypass a FileVault Password On a Per Boot Basis with Mac OS X
Using FileVault full disk encryption is one of the better ways to protect your Mac and personal documents from prying eyes and password resets, but if you’re troubleshooting a Mac with FileVault, either your own or someone else’s, it’s kind of annoying to have another layer of passwords necessary to enter before you’ll be able to get in. Additionally, for situations where you’re performing remote management or administration tasks through SSH or Remote Login, if you were to need to reboot the remote Mac to install an OS X update, you wouldn’t be able to enter the necessary FileVault password, right? Well, yes, unless you temporarily bypass FileVault with an authorized restart.
Using Authenticated Restart allows you to bypass entering a FileVault password on a per-boot basis. In other words, it does not disable FileVault for more than the specific reboot, which can be really helpful for remote management purposes.
Issuing an Authenticated Restart requires using the Terminal and the fdesetup command and you will need the admin password. You can always check to see if FileVault is enabled by using a variation of fdesetup as well. Here’s the command to use:
sudo fdesetup authrestart
Once you enter the admin password the Mac will reboot directly from the command line, but rather than a standard sudo shutdown -r command and boot, you’re basically pre-authorizing the restart to bypass FileVault on the next system start.
Do note that not all Macs have this feature and allow temporary FileVault bypass this way, it’s mostly fairly new machines that do. You can check manually with the following command string:
fdesetup supportsauthrestart
If “true” is echoed back, you’re good to go. If it says “false”, you’ll probably want to skip the reboot otherwise the Mac will be unavailable until the FileVault password has been entered manually in person.
According to Apple, the list of Macs that do support FileVault authenticated restart are as follows:
- MacBook Air (Late 2010) and later
- MacBook (Late 2009) and later
- MacBook Pro (Mid 2009) and later
- Mac mini (Mid 2010) and later
- iMac (Late 2009) and later
- Mac Pro (Late 2013)
So the next time you’re doing some remote management, system updates, troubleshooting, or whatever else, keep this in mind.
Do keep in mind this only applies to FileVault security, there is no way to remotely bypass a hardware-based firmware password that has been set on a Mac.
Heads up to LifeHacker for the excellent tip find.
So I can get into someone else’s mac even if they have file vault?
how to make this permanent?
Due to power failure?
Disable FileVault if you want to permanently bypass it.
Quite drastic compared to permanently letting a particular account access the login screen remotely.
Security hole?!
no, read the article.
Testing out this trick from ssh worked just fine
Helpful for remote troubleshooting great tip
Doesn’t seem to work on OSX 10.8.5 Mtn Lion; Mac Mini Late 2012. (FileVault not in use on this Mac, so I’m guessing wrong OSX)
~ root# fdesetup supportsauthrestart
Error: You must provide an action. Use ‘fdesetup help’ for help, or use the man page.
~ root# fdesetup status
No conversion in progress
~ root# fdesetup version
fdesetup: Version 1.35
Is it really “bypassing” filevault, or more likely, storing and using the credentials for the next boot, and then (hopefully), clearing the stored credentials.
Yes, exactly. As described. Bypass Filevault on the next boot, Filevault stops storing the credentials temporarily after that.
“Yes, exactly.”
It can’t be both. If it is storing the credentials, it is not bypassing FileVault, it is merely bypassing the authorization process.
This is an important distinction.