I recently learned that it is possible to encrypt an APFS volume within a container from the CLI using the diskutil
command like so:
diskutil apfs encrypt -user disk disk3s1
where disk3s1
is the only volume in the APFS container on my external drive.
The disk
user is mentioned in the diskutil
man page, but I do not understand what it is. Additionally, if I understand correctly, encrypting the MacOS startup disk using the typical "System Preferences" -> "Security and Privacy" -> "FileVault" tab -> "Turn on FileVault" button achieves essentially the same thing. From what I can see, the difference between the two approaches has to do with the users that can decrypt the disk. Using the "System Preferences" approach, my user (BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB
below) has permission to decrypt the disk as does the recovery key (user CCCCCCCC-CCCC-CCCC-CCCC-CCCCCCCCCCCC
below) that was generated when I hit the "Turn on FileVault" button. The differences can be seen using diskutil
once again:
# Volume on the external drive:
diskutil apfs listkeys disk3s1
# Cryptographic user for disk3s1 (1 found)
# |
# +-- AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA
# Type: Disk User
# Data volume on my MacBook's internal drive:
diskutil apfs listkeys disk1s2
# Cryptographic users for disk1s2 (2 found)
# |
# +-- BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB
# | Type: Local Open Directory User
# |
# +-- CCCCCCCC-CCCC-CCCC-CCCC-CCCCCCCCCCCC
# Type: Personal Recovery User
I did some internet searching but I could not find satisfactory answers to the following questions; any help is appreciated. Thanks in advance.
- What is the "disk" user? Is it special? Is it universal among all MacOS installs?
- Can I add additional crypto users to
disk3s1
viadiskutil
or some other CLI command? - Can I add a personal recovery user/recovery key after the fact (e.g. to
disk3s1
as shown above) viadiskutil
or another CLI command? - Can I remove crypto users after the fact?
References
Here are some articles I read before I created this post, listed in no particular order, some more relevant than others.
- APFS technical documentation
- Decrypting an APFS encrypted volume using diskutil on macOS 10.13.2
- Slides from the “Managing FileVault 2 on macOS High Sierra” Session at MacAD UK 2018 Conference
- APFS encryption, ghost guest users, and odd UUIDs
- Making sense of Disk Utility and disk structure in macOS 10.13-10.15
- Working with FileVault Encryption
- Frequently Asked Questions about encrypting the backup volume
Best Answer
Short version:
The disk "user" is the equivalent of having only a single password for decrypting the disk.
You can add additional users for the boot volume using the
fdesetup add
command. (seefdesetup help
for details)You can add or change the recovery key after the fact using
fdesetup changerecovery
You can remove users later using
fdesetup remove
and you can also remove the recovery key withfdesetup removerecovery
I don't yet know how to add or remove users/keys to encrypted apfs disks that are not the boot volume.
Long Version:
The convention of having multiple cryptographic users on a disk was done primarily to facilitate FileVault boot disks. Because of this convention, the concept of a disk "user" was created to allow disks to be encrypted with a single encryption key for non-boot disks.
The disk "user" is what would be created if you encrypted a disk using a method other than the "Turn on FileVault" method you described above. This is the equivalent of having a disk encrypted by a single password, instead of having multiple users able to decrypt the disk with their own passwords.
Having multiple users able to decrypt a disk is important for a startup disk with FileVault as it allows them to enter their own username and password at boot to decrypt the disk and login. Without it, they would have to know the disk encryption password (the disk "user") and enter that at boot, then login with their own user credentials at the login screen once boot is complete.
This is why FileVault automatically adds additional encryption keys for users to your boot drive when you enable it (in this case, one for your user and one for the FileVault master recovery key in case a user forgets their password and needs to reset it). But if you are encrypting a non-startup disk, having access for multiple users may not be useful or even desirable. This is why encrypting the disk from the CLI only creates the disk "user". (I believe this is also the case when encrypting using the Disk Utility app or from the Finder).
You can, of course, encrypt a boot disk with only a single disk "user" and no other cryptographic users or recovery keys. You will be presented with a password prompt at boot and it will display a disk icon instead of a user icon, and you will have to enter the disk encryption password instead of your user password. Any users on the machine who do not know this password will be unable to decrypt the disk and login to the machine.
Edit: Just want to add the following: Note that the disk "user" will only be added to the list of cryptographic users when you first encrypt the disk using the cli (
diskutil apfs
) or via Finder or Disk Utility. The disk user will not be added if you enable FileVault in the System Preferences, and it cannot later be added to a disk that already has cryptographic users.Also of note, the disk user will always have the UUID of the disk itself.