X

FileVault's authenticated restart has hardware requirements

If you use FileVault and wish to restart remotely, you can do so with the "fdesetup" command; however, this does have some hardware limitations.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
See full bio
Topher Kessler
2 min read

Unlike the standard OS X login screen, where background services such as Remote Desktop are running, if you have FileVault enabled, the login window will appear before OS X loads. Therefore, if you have a Mac that is configured with FileVault and you reboot your system when connected via SSH, Screen Sharing, or another remote connectivity service, it will get to the FileVault login window but not allow you to re-establish your remote connection.

To get around this limitation, one option available in OS X is to perform an authenticated restart, which will allow the system to suspend the FileVault protection for one boot cycle and load the operating system normally.

This may be required if you have applied a software update or other system configuration change that requires a restart, and can be done simply by opening Terminal and running the following command:

sudo fdesetup authrestart

While this command will work in many instances, it does require the ability to access the encryption keys that are temporarily stored in the System Management Controller, and therefore has some hardware requirements which prevent it from working on certain Macs. Apple has a knowledge base article outlining the Mac models which do support this command:

  • Supported
    • MacBook Air (late 2010) and later
    • MacBook (late 2009) and later
    • MacBook Pro (mid 2009) and later
    • Mac mini (mid 2010) and later
    • iMac (late 2009) and later
    • Mac Pro (late 2013)
  • Unsupported
    • MacBook Air (mid 2009) and earlier
    • MacBook (mid 2009) and earlier
    • MacBook Pro (early 2009) and earlier
    • Mac mini (late 2009) and earlier
    • iMac (mid 2009) and earlier
    • Mac Pro (mid 2012) and earlier
    • Xserve (all models)

Unfortunately, many of the systems Apple has made which might be accessed remotely on a regular basis do not qualify for the use of this command. The Xserve models, which are rack-mounted and largely accessed remotely, do not support this command. Then again, FileVault protection on these might not be necessary if they are secured in a server room.

The models that appear to matter most are the 2009 and earlier Mac Mini, and all Mac Pro systems prior to the latest models. These systems are commonly used for local servers, and might therefore be configured either headless, or otherwise usually accessed via SSH or Remote Desktop services. These systems will not be able to perform an authenticated restart, and therefore if you need to reboot them you will need to log in using a USB keyboard.


Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

Computing Guides

Laptops
Desktops & Monitors
Computer Accessories
Photography
Tablets & E-Readers
3D Printers
Computing Coupons