As far as I understood, FileVault provides full disk encryption functionality. What gets me puzzled though, is that once computer (with disk encrypted using FileVault) is turned on – username is displayed, before disk is decrypted. Thus, it has to be stored somewhere (and wherever it is stored – this storage is not encrypted). So I am wondering:
-
Where exactly the username is stored?
-
What else is stored there (and thus left unencrypted)?
-
It seems to me that (no matter what the answers to two previous questions are) FileVault encryption can not be called "full disk". To illustrate the point: if Android device is encrypted and then restarted – the process of loading OS won't start, until password is provided (which feels 'fuller' to me). Am I missing anything?
Best Answer
In older pre T2 macs the disk is not fully encrypted and the users name is stored in an unencrypted volume called
Preboot
. This volume is readable by the firmware which callsboot.efi
within it. This displays the unlock screen and once the password is entered unlocks the OS volume and the OS loads.The term Full disk encryption is generally used to describe something other than File level encryption rather than implying that there is nothing unencrypted on the disk. Probably Full volume encryption would be clearer.
This is much the same as Windows Bitlocker or Linux LUKS encryption except they tend to simply demand a valid password/key/fingerprint etc to unlock etc without storing the username outside the encrypted volume.
In T2 macs the structure is the same but the whole disk is encrypted so
Preboot
is not accessible until the disk is unlocked by the T2 chip.There are various unencrypted locations on the pre T2 startup disk. First of all the EFI partition is not encrypted. This partition may contain nothing or may contain firmware updates in a directory
EFI/APPLE
. This is not private or unique data. It may also contain bootloaders for Windows or other OSs, if you have installed them, as they also need an unencrypted partition to boot from.Next not all the volumes in the partition which holds the APFS container containing macOS are encrypted. In Mojave it looks like this (Catalina has an extra encrypted volume
Macintosh HD - Data
).Recovery
is not encrypted (you can get into recovery without unlocking) but doesn't appear to contain unique data.Preboot
is not encrypted (so the system can find the bootloaderboot.efi
, display users, wallpapers etc) before unlocking the OS volume. It has at least some data that is not generic.You can mount
Preboot
and have a look what it contains. Taking the Mojave example from above...Inside you'll find one directory named with the GUID returned from
diskutil info disk1s1|grep 'Volume UUID'
.You can then drill down into this directory - there is the bootloader
boot.efi
which the firmware calls to start macOS and lots of (to judge by their names) efi resource files which contain fonts, graphics resources, etc. For example:What all the things in this volume are isn't particularly clear but you'll find your username in plaintext at least in these files.
.../System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey
.../var/db/AdminUserRecoveryInfo.plist
.../var/db/CryptoUserInfo.plist
- also appears to contain users icon data