MacOS – Convert between FileVault 2 and Disk Utility encryption

disk-utilityencryptionfilevaultmacos

I know of two ways to enable full-disk encryption in macOS Sierra:

  • Turn on FileVault 2, or
  • Boot to recovery, reformat the disk as encrypted, and reinstall macOS.

I've read in several places around the web that the underlying encryption technology is the same either way, and the difference is just how the decryption key is obtained at boot time. With FileVault, a user's login password also serves to unlock the disk, but when you encrypt with Disk Utility, you choose a separate password just for the encryption.

I've found that if the disk was encrypted via Disk Utility at install time, you can also enable a user to unlock it via the FileVault preferences window. Then, at startup, you can unlock the disk using either the disk password or the user's login password.

Having gotten into this hybrid state, though, I don't see a way to get out of it. What I'd like to know is:

  • After I've enabled a user to unlock the disk, is there a way to remove the old disk password (that was created with Disk Utility at install time) and replace it with a recovery key, so it's like a normal FileVault setup that just uses user passwords?
  • Alternatively, is there a way to remove the user from FileVault so that only the disk password will work?

And, on a related note:

  • If FileVault was enabled in the usual way (starting from an unencrypted Mac), is there a way to add a disk password that's separate from the user login passwords, like what I'd have if I'd encrypted via Disk Utility at install time?

Best Answer

As it turns out, I found the answers to most of this not long after I asked the question. The command-line fdesetup program offers some additional options.

Removing Disk Password

Run sudo fdesetup list -extended and look for the UUID labeled "Disk Passphrase". Then run sudo fdesetup remove -uuid <UUID> to remove it.

This can be used to remove the disk password that was created via Disk Utility, leaving only user login passwords for unlocking the disk.

Removing User from FileVault

Run sudo fdesetup list (-extended isn't needed) to see what users are authorized to unlock the disk, then use sudo fdesetup remove -user <USER> or sudo fdesetup remove -uuid <UUID>.

This can be used to de-authorize users so that only the disk password can be used.

Adding Recovery Key

Run sudo fdesetup changerecovery -personal. This will prompt for a password (anything that's currently enabled to unlock the disk), then display the new recovery key. (Write it down!)

Removing Recovery Key

Run sudo fdesetup removerecovery -personal. As above, this will prompt for a password.

Adding Disk Password

I couldn't find a way to do this in-place — sudo diskutil cs passwd seems like it ought to work, but it requires there to be an "old" disk password already.

However, you can turn off FileVault using the preferences window (which decrypts the disk), then use sudo diskutil cs encryptLV <UUID> to re-encrypt it with a disk password. This is slow, since it has to decrypt and re-encrypt all the data, but it works.