APFS “Disk User” and how to add multiple crypto users via diskutil

apfsdisk-utilityencryptionfilevault

I recently learned that it is possible to encrypt an APFS volume within a container from the CLI using the diskutil command like so:

diskutil apfs encrypt -user disk disk3s1

where disk3s1 is the only volume in the APFS container on my external drive.

The disk user is mentioned in the diskutil man page, but I do not understand what it is. Additionally, if I understand correctly, encrypting the MacOS startup disk using the typical "System Preferences" -> "Security and Privacy" -> "FileVault" tab -> "Turn on FileVault" button achieves essentially the same thing. From what I can see, the difference between the two approaches has to do with the users that can decrypt the disk. Using the "System Preferences" approach, my user (BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB below) has permission to decrypt the disk as does the recovery key (user CCCCCCCC-CCCC-CCCC-CCCC-CCCCCCCCCCCC below) that was generated when I hit the "Turn on FileVault" button. The differences can be seen using diskutil once again:

# Volume on the external drive:
diskutil apfs listkeys disk3s1
# Cryptographic user for disk3s1 (1 found)
# |
# +-- AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA
#     Type: Disk User


# Data volume on my MacBook's internal drive:
diskutil apfs listkeys disk1s2
# Cryptographic users for disk1s2 (2 found)
# |
# +-- BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB
# |   Type: Local Open Directory User
# |
# +-- CCCCCCCC-CCCC-CCCC-CCCC-CCCCCCCCCCCC
#     Type: Personal Recovery User

I did some internet searching but I could not find satisfactory answers to the following questions; any help is appreciated. Thanks in advance.

What is the "disk" user? Is it special? Is it universal among all MacOS installs?
Can I add additional crypto users to disk3s1 via diskutil or some other CLI command?
Can I add a personal recovery user/recovery key after the fact (e.g. to disk3s1 as shown above) via diskutil or another CLI command?
Can I remove crypto users after the fact?

References

Here are some articles I read before I created this post, listed in no particular order, some more relevant than others.

Best Answer

Short version:

The disk "user" is the equivalent of having only a single password for decrypting the disk.
You can add additional users for the boot volume using the fdesetup add command. (see fdesetup help for details)
You can add or change the recovery key after the fact using fdesetup changerecovery
You can remove users later using fdesetup remove and you can also remove the recovery key with fdesetup removerecovery

I don't yet know how to add or remove users/keys to encrypted apfs disks that are not the boot volume.

Long Version:

The convention of having multiple cryptographic users on a disk was done primarily to facilitate FileVault boot disks. Because of this convention, the concept of a disk "user" was created to allow disks to be encrypted with a single encryption key for non-boot disks.

The disk "user" is what would be created if you encrypted a disk using a method other than the "Turn on FileVault" method you described above. This is the equivalent of having a disk encrypted by a single password, instead of having multiple users able to decrypt the disk with their own passwords.

Having multiple users able to decrypt a disk is important for a startup disk with FileVault as it allows them to enter their own username and password at boot to decrypt the disk and login. Without it, they would have to know the disk encryption password (the disk "user") and enter that at boot, then login with their own user credentials at the login screen once boot is complete.

This is why FileVault automatically adds additional encryption keys for users to your boot drive when you enable it (in this case, one for your user and one for the FileVault master recovery key in case a user forgets their password and needs to reset it). But if you are encrypting a non-startup disk, having access for multiple users may not be useful or even desirable. This is why encrypting the disk from the CLI only creates the disk "user". (I believe this is also the case when encrypting using the Disk Utility app or from the Finder).

You can, of course, encrypt a boot disk with only a single disk "user" and no other cryptographic users or recovery keys. You will be presented with a password prompt at boot and it will display a disk icon instead of a user icon, and you will have to enter the disk encryption password instead of your user password. Any users on the machine who do not know this password will be unable to decrypt the disk and login to the machine.

Edit: Just want to add the following: Note that the disk "user" will only be added to the list of cryptographic users when you first encrypt the disk using the cli (diskutil apfs) or via Finder or Disk Utility. The disk user will not be added if you enable FileVault in the System Preferences, and it cannot later be added to a disk that already has cryptographic users.

Also of note, the disk user will always have the UUID of the disk itself.

Related Solutions

How to encrypt a disk where diskutil cs convert reports “a problem”, leaves disk unreadable

The disk is mounted in an enclosure which doesn't properly report a logical block size of 512 bytes. Instead 4096 bytes are used. The disk itself has a physical block size (Device Block Size) of 4096 bytes.

If the disk/volume don't show any errors in Disk Utility, I would assume that CoreStorage and the enclosure & hard disk aren't compatible.

I propose to use another method to encrypt your Time Machine backup:

encrypted sparse image
encrypted sparsebundle image (similar to FileVault1)
encrypted image

How to get macOS High Sierra file vault encryption to continue/How to cancel encryption and decrypt drive

You can check the status from the terminal with diskutil cs info /Volumes/<name> and look for Conversion State and LV Conversion Progress. If you want to cancel the encryption with diskutil cs revert /Volumes/<name>

srv:~ onik$ diskutil cs info /Volumes/OSX
Core Storage Properties:
   Role:                       Logical Volume (LV)
   UUID:                       00000000-0000-0000-0000-000000000000
   Parent LVF UUID:            00000000-0000-0000-0000-000000000000
   Parent LVG UUID:            00000000-0000-0000-0000-000000000000
   Device Identifier:          disk1
   LV Status:                  Online
   Conversion State:           NoConversion
   LV Conversion Progress:     100%
   Content Hint:               Apple_HFS
   LV Name:                    OSX
   Volume Name:                OSX
   LV Size:                    126804688896 B

Oh, and if you're using APFS (new in High Sierra), the commands are diskutil apfs list and diskutil apfs decryptVolume /Volumes/<name>

Then you can wait 15 minutes and check again. The conversion should continue and might go faster if you log out or just restart your machine and don’t log back in.

There’s no need to reinstall the operating system in almost all cases. You may need to leave the machine running for a day or two if for some reason it’s not progressing at a good rate. There also is no cancel. It needs to proceed or you could wipe the entire disk and reinstall everything.