MacOS – Filevault 2 and Changing the Password

filevaultmacospassword

If I have a system with FileVault 2 enabled on the system and on the Time Machine drive, what happens if I change my system password? Is the encryption based on my login (being able to log in) or is the encryption tied to the password (somehow hashed to the password value so if it changes, the new password can't decrypt the files?)

10.7.4 running FileVault 2, migrated from 10.6.x installation, if that makes any difference…

Best Answer

IIRC, FileVault2 generates its own encryption keys when you start using it. It uses those keys to encrypt the drive, not your password. This is unlike FileValut1 which uses your password itself.

The keys themselves, when stored on disk, are THEN encrypted using your password, and therefore can only be used to read the disk if you have the password. This is the reason multiple accounts can unlock the disk in FV2, and how the "master key" can exist (multiple encrypted copies of FV2's storage keys).

Yes, changing your password will mean that this new password is required to access the storage keys, and hence the drive. But this only triggers a re-encryption of the keys, which are very small, and not the entire drive.

Since FV1 and FV2 are 2 totally different encryption schemes, the fact that you migrated from 10.6 shouldn't matter. Not sure if Lion is backwards compatible with FV1 directories, but as long as you're actually using FileValut2, changing your password should work as described above.

Related Solutions

MacOS – What are the implications in speed and battery life while using Filevault 2

Other than making sure you have power available when you turn on or off the entire disk's worth of IO to encrypt/decrypt, performance and power deltas are barely measurable.

Less than 1-2% is what I'm seeing. Other than hammering large IO benchmarks, in practice it doesn't matter one bit whether FileVault 2 is on or off for the initial build of Lion.

As long as you understand the limitations of not being able to use file recovery tools, how people can circumvent your encryption by losing control of pass phrases or keys, it seems this lunch is free (or at least on Apple's tab).

Hide “disk password” login option at EFI (Filevault) login screen

I have the same problem when booting from an external drive, but not my internal drive!

When I boot normally, I only see a one FileVault option: me. However, when booting from my USB drive, I see two: me, and "Disk Password".

Investigating with fdesetep (sudo fdesetup list —extended) shows that the internal drive has:

ESCROW  UUID                                                                     TYPE USER
        BCF2ABC6-40F8-4F31-A508-7284BC85E65A                   Personal Recovery User
        2EE7445C-13C0-497D-AD54-DA1B8D22A0F7                                  OS User ben

However, the external drive has:

ESCROW  UUID                                                                     TYPE USER
        EB313C9F-E27C-41D5-9EE3-192490C792BE                     Disk Passphrase User
        92ACE5CE-7187-44DB-92CE-56344C18568D                                  OS User ben

Note that the external drive doesn't have a recovery key set (confirmed with fdesetup haspersonalrecoverykey returning false).

It looks like it should be possible to remove the Disk Passphrase using fdesetup, by doing fdesetup remove --uuid <the UUID of Disk Passphrase>. I would strongly recommend adding a recovery key, if you do this.

Best Answer

Related Solutions

MacOS – What are the implications in speed and battery life while using Filevault 2

Hide “disk password” login option at EFI (Filevault) login screen

Related Question