There was an error in this gadget

Wednesday, November 21, 2012

How to restart a FileVault-protected Mac remotely

How to restart a FileVault-protected Mac remotely

If necessary, you can restart a FileVault-enabled Mac and have it automatically unlock the volume and load the operating system.

OS X's encryption service, FileVault, originally stored users' home folder contents in encrypted disk images. In OS X Lion, FileVault now uses Apple's new CoreStorage volume manager to encrypt the entire disk. With CoreStorage, the OS configures a small hidden partition with a preboot welcome screen that looks like the standard OS X log-in window and contains user accounts that are authorized to unlock the volume and cause the system to load and automatically log in to the account specified on the preboot screen.

Unfortunately, while more secure and while offering a relatively seamless experience when sitting at your computer, the preboot authentication requirement for FileVault does pose a bit of a problem for those who access their systems remotely, such as through Screen Sharing (using Back To My Mac) or through SSH and other remote-access technologies.

If you make a configuration change and need to restart the system, the computer will require preboot authentication before the system and any remote-access services load. In effect, this creates a bit of a hurdle for those who wish to keep their systems secure with FileVault but who also want to be able to restart their systems remotely.

Luckily, Apple does provide a way to restart a FileVault-encrypted system and have it boot back to a working state. To do this, open the Terminal and run the following command:

sudo fdesetup authrestart

This command will ask for the current user's password or the recovery key for the FileVault volume, and then store the current user's credentials so when the system is restarted the computer can use these credentials to unlock the volume at the preboot screen. This means when the system reboots it will automatically unlock the volume so the OS will load, dropping you at the standard log-in window so you can log in to the user account of your choice.

This approach to restarting a system is useful if you have made manual changes to a FileVault-protected system, but also if the system has software updates available for it that are automatically installed. While the App Store or Software Update service will prompt you to restart the system, avoiding these prompts and using the above command will apply the updates and restart the system to a usable state for remote access.

In addition to aiding in remote management of a system, this command can be used locally to restart a system without needing to manage the preboot authentication screen again. If you are configuring updates on a local server and simply need to restart it to a working state, then you can issue this command and move on to other tasks instead of having to wait for it to restart and then manually unlock the encrypted boot drive.

This command does require administrative access to run, and you need to know either the password of a FileVault-enabled user account (likely the same admin account) or the recovery key for the FileVault volume that is displayed for you when you enable FileVault. These credentials are stored in memory for the restart process, but are then cleared when the system boots. As a result, while some may have concerns about such commands providing a means around the system's standard security measures, the command should maintain the same security requirements for FileVault.

1 comment:

  1. I did enjoy reading articles posted on this site. They are impressive and has a lot of useful information.
    small business web hosting