I recently wrote about some challenges using FileVault on a headless Mac.
And later experimented with a way of getting:
- both headless (including a full boot, headless)
- and FileVault
Which amounts to this:
- Configure the boot volume without FileVault.
- Set up a 2nd volume (APFS makes this easy).
- Encrypt the 2nd volume.
- Create a new "secure" user - whose homedir is on the 2nd, encrypted, volume.
Why? That new user's homedir is now better protected - if for example, the storage were removed.
Notes:
- The "secure" user, can't log in til that 2nd volume is mounted.
- The encrypted volume won't auto-mount (which would kinda defeat the point).
- If you want to be a bit less secure, you could config a user whose homedir is on the unencrypted volume, to use the Keychain to mount the encrypted volume when they log in - in which case, you'd still have to take that manual step (of logging in to the "primary account"), though that would immediately allow the "secure" user to login.
Curious if anyone else is interested in doing anything like this, or if this prompts any thoughts.
No comments:
Post a Comment