FileVault 2 Deferred Enablement in Yosemite
Apple recognized that there would be situations where Mac admins would need to set up FileVault 2 for a person where the admin would not have the password for that person’s user account. To avoid the immediate need to enter a password, fdesetup has a
-deferflag in Mountain Lion, Mavericks and Yosemite that can be used with fdesetup’senableverb to delay enabling FileVault 2 until after the current (or next) user logs out. With the -defer flag, the user will be prompted for their password at their next logout or restart. The recovery key information is not generated until the user password is obtained, so the-deferoption requires a file location where this information will be written to as a plist file.[…]
In Yosemite, Apple added new options for fdesetup’s
-deferflag. These new options now allow Mac admins to set a deferred enablement with the following options:
- Enforce FileVault 2 enablement at logout
- Enforce FileVault 2 enablement at login
- Enforce FileVault 2 enablement at both login and logout
Update (2015-02-02): Rich Trouton:
fdesetup in Yosemite has the
authrestartverb, which allows a FileVault 2-encrypted Mac to restart, bypass the FileVault 2 pre-boot login screen, and goes straight to the OS login window.
