Automated Filevault encryption

You can build the latest version of the application using the Xcode project files available from the GitHub repository. There’s also a already-built application available for download from the GitHub repo.
Download: FileVault Setup

This application can be installed anywhere on the Mac, though the GitHub project page recommends either /Applications or /Applications/Utilities. For the purposes of my testing, I put it into /Applications.

The application was designed to be run by a Mac OS X loginhook. This allows it to be launched when a user logs in, but also runs the application with root privileges. Running this application with root privileges is important because fdesetup requires root privileges to run.
Since this is a process that’s more easily shown than explained, I’ve made a video showing the process from the user’s perspective.

sudo defaults write LoginHook /Applications/FileVault Setup


If you’re looking for a way to enforce FileVault 2 on your Macs and don’t have access to server resources, FileVault Setup is a great addition to your set of tools. It will give you the ability to encourage encryption on your machines or force it, depending on your security needs.

It also gives you the ability to prepare a machine and deploy it to your users without encrypting it first, as the loginhook will ensure that encryption gets turned on at the first login.


The application has four command line switches that can be used to tell it how to run:

-FVSDoNotAskForSetup YES / NO – suppresses prompting the user to enable FileVault 2 encryption. The default is NO

-FVSForceSetup YES / NO – enforces the setup and arrests login until the user accepts. The default is NO

-FVSUseKeychain YES / NO – Sets the FileVault 2 encryption to use /Library/Keychains/FileVaultMaster.keychain as an institutional recovery key. The default is YES

-FVSCreateRecoveryKey YES / NO – Sets the FileVault 2 encryption to generate and use an alphanumeric individual recovery key. The default is YES

FileVault Setup can also be managed by MCX or by the defaults command. FileVault Setup accepts four defaults:

sudo defaults write /Library/Preferences/ca.sfu.its.filevaultsetup FVSCreateRecoveryKey -bool NO

sudo defaults write /Library/Preferences/ca.sfu.its.filevaultsetup FVSUseKeychain -bool YES

sudo defaults write /Library/Preferences/ca.sfu.its.filevaultsetup FVSForceSetup -bool YES


Running FileVault Setup without any command line switches or other management will mean it will run with the following configuration:

/path/to/FileVault Setup -FVSDoNotAskForSetup NO -FVSForceSetup NO -FVSUseKeychain YES -FVSCreateRecoveryKey YES

In this case, FileVault 2 encryption set up is not forced. For the recovery keys, FileVault Setup will have fdesetup both generate an alphanumeric individual recovery key and set /Library/Keychains/FileVaultMaster.keychain as an institutional recovery key.

source –