Security Implications of fdesetup authrestart on FileVault-Enabled Macs

I'm looking for confirmation on the security aspects of fdesetup authrestart when used on a FileVault-enabled Mac.

As I understand it, this command temporarily stores the decryption key in memory to allow the system to restart without requiring manual entry of the FileVault password. However, I have a few security-related concerns:

Storage of the Decryption Key: Where exactly is the key stored during an authenticated restart? Is it protected within the Secure Enclave (for Apple Silicon Macs) or the T2 Security Chip on Intel Macs?

Key Lifetime & Wiping: At what point is the decryption key erased from memory? Does it persist in any form after the system has fully rebooted?

Protection Against Physical Attacks: If an attacker gains physical access to the machine before the restart completes, is there any possibility that they could extract the decryption key from memory?

Cold Boot Attack Resistance: Is there any risk that advanced forensic techniques (such as freezing RAM to retain data) could be used to recover the decryption key after issuing an authenticated restart?

Malware Resistance: Could a compromised system (e.g., root access by an attacker) intercept or misuse the decryption key before the restart?

I understand that on Apple Silicon and T2-equipped Macs, FileVault keys are tied to hardware-based encryption, making unauthorized access difficult.

However, I'd like to confirm whether Authenticated Restart introduces any new risks compared to a standard FileVault-enabled boot process.

Answered by DTS Engineer in 825636022

This is about the security of the platform as a whole, rather than about specific APIs, so it’s not something I can help you with. My general advice on such topics is:

  1. Consult the Apple Platform Security document to see if it says anything about this.

  2. If not, feel free to file a bug requesting that it be updated to do so.

  3. If that’s not sufficient, you can ask your question over on Apple Support Community, run by Apple Support.

  4. Or if you have access to more advanced Apple support, escalate it that way.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

This is about the security of the platform as a whole, rather than about specific APIs, so it’s not something I can help you with. My general advice on such topics is:

  1. Consult the Apple Platform Security document to see if it says anything about this.

  2. If not, feel free to file a bug requesting that it be updated to do so.

  3. If that’s not sufficient, you can ask your question over on Apple Support Community, run by Apple Support.

  4. Or if you have access to more advanced Apple support, escalate it that way.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Security Implications of fdesetup authrestart on FileVault-Enabled Macs
 
 
Q