Open Radar

 
Summary:

The 'fdesetup authrestart' command in 10.9.3 does accept the institutional recovery key as an authentication method. Instead, an "Error: Unable to restart" error is displayed and the Mac does not restart.

Steps to Reproduce:

1. Open Terminal
2. Run the following command:

sudo fdesetup authrestart -key /path/to/keychain

3. Provide account password for sudo privileges (if needed)

Expected Results:

A. Expect to prompted for a password to unlock the recovery keychain. 
B. Mac reboots to the OS login window


Actual Results:

A. "Error: Unable to restart." error is displayed in Terminal.
B. Mac does not restart.

Version:
OS X 10.9.3 / build 13D65

Configuration:
Behavior was seen on the following machines:

Mid-2012 15 inch Retina MacBook Pro - AD bound, using only institutional key
Mid-2013 15 inch MacBook Pro - local users only, using both individual and institutional keys

Notes:
Running 'fdesetup supportsauthrestart' on both affected machines returns a result of 'true'.

I verified that the recovery keychains used were valid by booting to Recovery HD and unlocking the encrypted boot drives using the following procedure:

1. Copy the FileVaultMaster keychain that contains both the public and private key of your institutional recovery key to a drive that you can access from Recovery HD.

2. Boot to Recovery HD.

3. Get the Logical Volume UUID of the encrypted drive by running the following command:

diskutil cs list


4. With the UUID information acquired, run the following command to unlock the recovery keychain:


security unlock-keychain /path/to/FileVaultMaster.keychain


Once this command is run, enter the keychain’s password when prompted. If the password is accepted, you’ll be taken to the next prompt.

5. Run the following command to unlock the encrypted volume:

diskutil cs unlockVolume UUID_goes_here -recoveryKeychain /path/to/FileVaultMaster.keychain