Unlike the standard OS X login screen, where background services such as Remote Desktop are running, if you have FileVault enabled, the login window will appear before OS X loads. Therefore, if you have a Mac that is configured with FileVault and you reboot your system when connected via SSH, Screen Sharing, or another remote connectivity service, it will get to the FileVault login window but not allow you to re-establish your remote connection.
To get around this limitation, one option available in OS X is to perform an authenticated restart, which will allow the system to suspend the FileVault protection for one boot cycle and load the operating system normally.
This may be required if you have applied a software update or other system configuration change that requires a restart, and can be done simply by opening Terminal and running the following command:
sudo fdesetup authrestart
While this command will work in many instances, it does require the ability to access the encryption keys that are temporarily stored in the System Management Controller, and therefore has some hardware requirements which prevent it from working on certain Macs. Apple has a knowledge base article outlining the Mac models which do support this command:
- MacBook Air (mid 2009) and earlier
- MacBook (mid 2009) and earlier
- MacBook Pro (early 2009) and earlier
- Mac mini (late 2009) and earlier
- iMac (mid 2009) and earlier
- Mac Pro (mid 2012) and earlier
- Xserve (all models)
Unfortunately, many of the systems Apple has made which might be accessed remotely on a regular basis do not qualify for the use of this command. The Xserve models, which are rack-mounted and largely accessed remotely, do not support this command. Then again, FileVault protection on these might not be necessary if they are secured in a server room.
The models that appear to matter most are the 2009 and earlier Mac Mini, and all Mac Pro systems prior to the latest models. These systems are commonly used for local servers, and might therefore be configured either headless, or otherwise usually accessed via SSH or Remote Desktop services. These systems will not be able to perform an authenticated restart, and therefore if you need to reboot them you will need to log in using a USB keyboard.