I have recently partitioned my drive into a trap OS. If my Macbook is stolen I want to give the users access to use the device to increase the chances they will connect it to the internet and I can recover it.
My main partition is encrypted with FileVault 2. The second (trap) partition has no encryption on it. I have changed the user that automatically logs in to a Standard User and created a hidden Admin account. These are the only 2 accounts on that install.
How can I lock down my system so this Standard User can't break anything?
And more specifically how can I prevent a Standard User from formatting the first partition?
I have tried accessing Disk Utility from the account and the full hard drive is grayed out (I have prevented it from mounting via the fstab file). However the erase function is available (the button is there, and I can click it) and I don't want to actually start erasing my system inadvertently.
Best Answer
You're right- while booted from the other partition you don't need admin access to erase a disk.
You can set a firmware password to prevent someone from changing the startup disk if you're worried about that. But keep in mind they could just physically remove the disk from the computer. The data will still be encrypted but the firmware password won't follow the disk (pretty sure).
Setting a strong user password and, of course, storing your recovery key in a secure location are important for securing your data.