I have the same problem when booting from an external drive, but not my internal drive!
When I boot normally, I only see a one FileVault option: me. However, when booting from my USB drive, I see two: me, and "Disk Password".
Investigating with fdesetep (sudo fdesetup list —extended
) shows that the internal drive has:
ESCROW UUID TYPE USER
BCF2ABC6-40F8-4F31-A508-7284BC85E65A Personal Recovery User
2EE7445C-13C0-497D-AD54-DA1B8D22A0F7 OS User ben
However, the external drive has:
ESCROW UUID TYPE USER
EB313C9F-E27C-41D5-9EE3-192490C792BE Disk Passphrase User
92ACE5CE-7187-44DB-92CE-56344C18568D OS User ben
Note that the external drive doesn't have a recovery key set (confirmed with fdesetup haspersonalrecoverykey
returning false
).
It looks like it should be possible to remove the Disk Passphrase using fdesetup, by doing fdesetup remove --uuid <the UUID of Disk Passphrase>
. I would strongly recommend adding a recovery key, if you do this.
A locked hard drive is a hard drive that is encrypted.
When you unlock the drive you are telling the system how to interpret the encrypted data. Unlike permanent decrypting, the data on the drive stays encrypted, you are just telling it how to read the encrypted data on the fly.
On its normal computer information will have been saved into the system's keychain allowing it to access the drive without prompting you for a code. If you open Keychain Access on that Mac and search for the name of the drive, or sort the list by "Kind", you should find an "encrypted volume password" entry. That is what the Mac is using to unlock the drive without prompting you.
Best Answer
You can find a setup guide for FileVault 2 here:
https://support.apple.com/en-gb/HT204837
When you enable FileVault 2 on your boot drive, an admin user will need to unlock the computer before it can be used. I.e. non-admin users will not be able to unlock and decrypt the drive.
When you turn on the computer, it boots from a separate, non-encrypted partition. That partition holds the decryption software as well as a list of admin users that can unlock the drive. This is done so that the bootup partition can display a startup image similar to a normal login screen with the names and avatars of the users that can unlock the drive.
Note that the unencrypted drive only holds the user names, not passwords, salted hashed passwords or anything like that. The user will need to enter a password that successfully decrypts the decryption key in order to unlock the computer.
In addition to the login password (which is used as a passphrase for one of the keys), you can also choose to enable either a recovery key, which is a 120-bit master password that can be used to decrypt the drive, or the option to allow an AppleID to unlock the drive. This means that you can unlock the drive by logging in to your AppleID which enables you to retrieve the key from Apple's servers. Some like this option for its ease of use, others prefer not to enable it for security reasons.
When you compare FileVault to LUKS, the systems are in principle very similar. However on a modern Mac with the T2 security chip, you'll find an additional security layer implemented with a Secure Enclave which tries to hinder brute forcing the pass phrase by adding delays, and protects against side-channels attacks on the main CPU as the encryption keys are never in memory on the Intel CPU. You can find further technical details here:
https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf