FileVault disk encryption provides an enormous amount of security to your organization's data on each macOS device. But what do you do when you need to decrypt your FileVault devices? This can be particularly important when you would like to re-enable FileVault via Addigy and collect your keys in the Addigy platform.


Disabling FileVault on a Single Machine Using Addigy Live Terminal

The Addigy Live Terminal integration provides an powerful, interactive terminal session to any of your devices with the software installed. To learn more about our Live Terminal integration, head over to our article Addigy Live Terminal Integration Overview.


Once you have initiated a Live Terminal session to the device you would like to permanently decrypt, simply run the following command:


sudo fdesetup disable


Enter the required FileVault password or recovery key and your device will begin decrypting.


Scripting the Decryption Process

In order to perform the disabling Filevault across a large number of machines from Addigy, you will to build a script which uses a standardized FileVault password or institutional recovery key.


In this example, we will be running a expect script on the machine that inputs the password as if it were done from the keyboard. The "PASSWORD_OR_RECOVERYKEY" string should be replaced to match yours.


expect -c "
log_user 0
spawn fdesetup disable
expect \"Enter a password for '/' or recovery key:\"
send "PASSWORD_OR_RECOVERYKEY"\r
log_user 1
expect eof
"