Unlock FileVault Automatically

Created On
Last Updated On
byTimothy Perfitt
You are here:

Overview

MacOS uses a disk encryption technology called FileVault. On Apple Silicon, the disk is aways encrypted which gives protection in case the SSD is attempted to be accessed when removed from the Mac. However, if FileVault is not enabled, nefarious actors can boot to recovery and access data without a user password. To prevent against, this, FileVault can be enabled to protect the disk encryption keys with the user passwords.

However, when a Mac is rebooted due to a power failure, manual reboot, or a remove command, the user must enter their password to unlock the disk. This prevents external services (such as MDM or other remove management tools) to access the device until the user enters the password. MacOS 26 Tahoe has FileVault enabled by default in the setup assistant, so it will become even more common for FileVault to be enabled.

MacOS does provide a tool called fdesetup that allows rebooting without authenticating at the FileVault login screen. The command requires admin and a user’s name and password that has the ability to unlock the disk (a secure token user).

To make this process easier, we created a tool called FilevaultLogin. FilevaultLogin has a login mechanism that runs during user login. The mechanism saves the user’s password to the user’s keychain and only allows access to the password by our FilevaultLogin app. After the user logs in, our FilevaultLogin app is launched and accesses the user’s login password, and then uses the fdesetup command to allow the next reboot to be done without unlocking the disk at the FileVault login window. This means that the machine will be available on the network and will be accessible on the network and by MDM.

Setup

To set up the FilevaultLogin app, follow the instructions below:

  1. Download the FilevaultLogin installer from https://bitbucket.org/twocanoes/passwordutility-public/downloads/
  2. Install the app on an Apple Silicon Mac.
  3. Launch the FilevaultLogin app, and you will be prompted to allow. Select Allow and enter the Admin’s password.
  4. Log out and log in as a user who can unlock FileVault. The user’s password will be stored in the user’s keychain. FilevaultLogin will automatically be launched, the app will set FileVault to be unlocked on next reboot, then the app will quit. There will be no user indication of it running.
  5. Reboot and the Mac will be at the standard login window and available on the network.

NOTE: If there is a power failure or any reboot event when the Mac is at the login window and has never logged in as a FileVault user since the last reboot, the user will be required to authenticate to unlock FileVault. We can work around this with the FileVault unlock key but that would require embedding the key into the system keychain, which would be accessible by any admin.

Also, this is a expiring beta so it will expire in 30 days from when it was first posted.

Uninstall

To uninstall Filevaultlogin, run:

/Applications/FilevaultLogin.app/Contents/Resources/setup.sh -r

Then drag the FilevaultLogin app to the trash.

More Information

If you have any questions or are interested in this app, please reach out to us at our contact page.