Home > fdesetup, FileVault 2, Mac administration, Mac OS X > Automating fdesetup authrestart in Mavericks

Automating fdesetup authrestart in Mavericks

June 24, 2014 Leave a comment Go to comments

One of the more interesting functions in Apple’s fdesetup tool is the authrestart verb, which allows a FileVault 2-encrypted Mac to restart and bypass the FileVault 2 pre-boot login screen. Instead, the Mac reboots as a unlocked system and goes straight to the regular login window.

When you run the fdesetup authrestart command, it asks for a password or a personal recovery key. The password must be an account that has been enabled for FileVault 2 (i.e. an account that shows up at the FileVault 2 pre-boot login screen.) After that, it puts an unlock key in system memory and reboots. On reboot, the reboot process automatically clears the unlock key from memory.

For those who want to automate this process, Apple added some functionality to fdesetup authrestart in Mavericks to support importing the authentication via a properly formatted plist. The plist needs to follow the format below:





Password
password

plist_format_for_fdesetup_authrestart

You would store either the password of an existing FileVault 2-enabled user or the existing personal recovery key in the Password key in the plist.

Once the plist has been set up and properly formatted, run the following command to run the authrestart process and reference the password or recovery key in the plist file for authentication.

sudo fdesetup authrestart -inputplist < /path/to/filename.plist

Screen Shot 2014-06-23 at 7.17.18 PM

The man page for fdesetup also indicates that you can use a keychain with both the private and public keys associated with an institutional recovery key to authenticate the authrestart process. Based on the manpage, you should be able to run the following command to run the authrestart process and reference the institutional recovery key for authentication.

sudo fdesetup authrestart -key /path/to/filename.keychain

As of OS X 10.9.3, this does not appear to work. Instead of being prompted for the keychain’s password and the Mac restarting, an Error: Unable to restart message is displayed and nothing else happens.

Screen Shot 2014-06-23 at 7.30.24 PM

If manually restarted, the Mac will reboot to the FileVault 2 pre-boot login screen.

Screen Shot 2014-06-23 at 8.00.19 PM

I’ve filed a bug with Apple at bugreport.apple.com about this behavior. If you want to also file a bug report on this, please reference the following bug ID when submitting your report:

17423687

I’ve got the details of my bug report posted at Open Radar:

http://openradar.appspot.com/radar?id=6385064946434048

Categories: fdesetup, FileVault 2, Mac administration, Mac OS X
  1. Lauren
    June 24, 2014 at 2:26 pm
    Reply

    Hi Rich – I was the one who was asking about authrestart in IRC yesterday. Thank you for checking it out and posting this. I’ll also be submitting one.

  2. David Van De Meer
    July 23, 2023 at 9:04 am
    Reply

    Hi, I wanted a simple way to initial a Filevault Restart on Macs so I created FilevaultReboot – https://github.com/dieskim/FilevaultReboot – Hope it helps

  1. No trackbacks yet.

Leave a comment