How to enable FileVault remotely in OS X

If you have a server or other remotely accessed Mac, you can use a couple of approaches to encrypt the hard drive.

Topher Kessler MacFixIt Editor

Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.

See full bio

Topher Kessler

Aug. 15, 2013 2:01 p.m. PT

2 min read

FileVault in OS X is Apple's included data encryption technology, which allows for seamless encryption of the entire hard drive to secure your data in the event your computer is stolen. FileVault is generally set up in the Security system preferences, where you can enable and select accounts to allow unlocking of the disk, but if you have your Mac set up as a server and wish to enable FileVault, there are several ways you can do so remotely.

The first option is to use screen sharing, where you log in to the OS X interface to access the system preferences and enable FileVault; however, this requires that you have screen sharing enabled. As Apple's Back To My Mac service (which offers such a function) is part of iCloud, this may be the easiest way to go for many people.

The second approach is to use the remote log-in services with an established SSH connection. If you have a server configured, then you likely will have SSH connectivity enabled, so you can log in and run the following command to enable FileVault encryption and authorize a specific user:

fdesetup enable -user USERNAME -outputplist > ~/recoverykey.plist

With this command run, the system will enable FileVault and save the designated user as the account authorized to unlock the hard drive. The redirect to the "recoverykey.plist" file (or whatever you would like to name this plist) is an important part of this command, as it will save information about the FileVault setup, including the recovery key, which will be important if at any point you will need to unlock the drive using another Mac.

If you wish to authorize additional users to unlock the encrypted hard drive, you can run the "fdesetup" tool again with the "-usertoadd" flag in the following manner:

fdesetup add -usertoadd USERNAME

Finally, with FileVault enabled, one of the authorized users' credentials will be required to unlock the hard drive if the system is restarted, but you can bypass this requirement by using an authenticated restart instead of a standard restart option. To do this, simply run this command when rebooting:

fdesetup authrestart

When this command is run, the current user's credentials are temporarily stored and supplied to the EFI log-in prompt, so the system should unlock the disk and continue with a normal boot of the operating system.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

Computing Guides

Laptops

Desktops & Monitors

Computer Accessories

Photography

Tablets & E-Readers

3D Printers

Computing Coupons