MacOS File Vault 2 full disk encryption does not seem to work

I got a used MacBook Air 11 (2014) and the first thing I did was wiping the whole drive and re-adding partitions.

I picked OS X extended journaled encrypted which should be the same as File Vault 2

After reinstalling the OS (Mavericks) I've updated all the way to macOS Sierra 10.12.3 and added a second user non-admin user account.

Now the confusing part:

When cold starting my MacBook it would go straight to the login screen without asking for the disk password (how would that happen if it's supposed to be full disk encrypted ? I'm not talking about hibernation, I've properly shut down my MacBook)
The login screen would show the non-admin account and a Disk Password option, both work as expected, but it wouldn't show my admin account
a) After entering the Disk Password the admin account would show up
b) If I decide to NOT enter the Disk Password, I can still log into the non-admin account. More over, if I then log out, my admin account would mysteriously appear and I can log into it without ever using the my disk password.

I used the diskutil cs list command and it shows that my Logical Volume is properly wrapped in a AES-XTS encrypted Logical Volume Family

Now the question here is, is this really working ? According to some official (maybe outdated) Apple website it should ask for the disk password on boot up, before the login screen.

Output of sudo gpt -r show disk0:

    start       size  index  contents
        0          1         PMBR
        1          1         Pri GPT header
        2         32         Pri GPT table
       34          6         
       40     409600      1  GPT part - XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
   409640  235298960      2  GPT part - XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
235708600    1269536      3  GPT part - XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
236978136          7         
236978143         32         Sec GPT table
236978175          1         Sec GPT header

Best Answer

It looks like this is a misunderstanding. In the later versions of macOS it is difficult to distinguish the pre-boot unlock screen (where one unlocks the partition and is automatically logged in after the boot process) from the login screen (where the system partition is already unlocked and the user has to log into the system).

Furthermore, FileVault2 can grant multiple passwords the right to unlock the partition and grants this permission to individual accounts. You can manage what accounts can unlock the system disk in System Preferences>Security & Privacy>Enable Users.... That means your account password also becomes the password to unlock the partition. In any case you can use the recovery password, which is provided when encrypting the disk, to unlock the partition.

This answer provides a method to use a unlock key that differs from your account password.

Best Answer

Related Solutions

MacOS – Is File Vault 2 whole disk encryption or whole partition encryption

I have an encrypted disk. How to customize the Guest shell that is offered when I boot

Related Question