2012/11/02

FileVault2 (FDE) trvia

Interesting...

I configured my Mac to require me to enter the boot volume's FileVault2 passphrase before login; no automatic retrieval using an account's (less secure) login password.

This worked great, then at some point later, I added a second "Standard" account (for my Grandmother's iPad :) and the next time I booted (it's not that often; thanks for making a really stable OS, Apple) I noticed that this account was able to log in directly.

Hmm; somehow when the account was created, it glommed on to the FileVault2 passphrase - not nice.

System Preferences gave me no way to turn this off; interesting-er. Neither "Users & Groups" nor "Security" was any help; "Security" didn't even have this account listed via the "Enable Users..." button (toward the bottom).

To the Intertubes!

Here's an interesting article from IACR (International Association for Cryptologic Research) with lots of background: Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption. It didn't help solve this problem, though it was a useful read; thanks, IACR.

And the jackpot, at Krypted.comEncrypting Volumes in OS X Mountain Lion is how I found out about the "fdesetup" command. (That's "fde" as in "full disk encryption".)

(BTW: After disabling this new account (with "fdesetup remove"), I opened the "Security" preference pane and it is now listed (as disabled) where it previously wasn't shown at all.)

[2015/03/20 update: If the output of "fdesetup list" is empty, no users have the capability, and it's required (as desired) to enter the disk password before login.]