I got a used MacBook Air 11 (2014) and the first thing I did was wiping the whole drive and re-adding partitions.
I picked OS X extended journaled encrypted
which should be the same as File Vault 2
After reinstalling the OS (Mavericks) I've updated all the way to macOS Sierra 10.12.3 and added a second user non-admin user account.
Now the confusing part:
-
When cold starting my MacBook it would go straight to the login screen without asking for the disk password (how would that happen if it's supposed to be full disk encrypted ? I'm not talking about hibernation, I've properly shut down my MacBook)
-
The login screen would show the
non-admin account
and aDisk Password
option, both work as expected, but it wouldn't show my admin account -
a) After entering the Disk Password the
admin account
would show up -
b) If I decide to NOT enter the Disk Password, I can still log into the
non-admin account
. More over, if I then log out, myadmin account
would mysteriously appear and I can log into it without ever using the my disk password.
I used the diskutil cs list
command and it shows that my Logical Volume is properly wrapped in a AES-XTS encrypted Logical Volume Family
Now the question here is, is this really working ? According to some official (maybe outdated) Apple website it should ask for the disk password on boot up, before the login screen.
Output of sudo gpt -r show disk0
:
start size index contents
0 1 PMBR
1 1 Pri GPT header
2 32 Pri GPT table
34 6
40 409600 1 GPT part - XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
409640 235298960 2 GPT part - XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
235708600 1269536 3 GPT part - XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
236978136 7
236978143 32 Sec GPT table
236978175 1 Sec GPT header
Best Answer
It looks like this is a misunderstanding. In the later versions of macOS it is difficult to distinguish the pre-boot unlock screen (where one unlocks the partition and is automatically logged in after the boot process) from the login screen (where the system partition is already unlocked and the user has to log into the system).
Furthermore, FileVault2 can grant multiple passwords the right to unlock the partition and grants this permission to individual accounts. You can manage what accounts can unlock the system disk in
System Preferences
>Security & Privacy
>Enable Users...
. That means your account password also becomes the password to unlock the partition. In any case you can use the recovery password, which is provided when encrypting the disk, to unlock the partition.This answer provides a method to use a unlock key that differs from your account password.