MacOS – FileVault 2 caches main password even after power off

encryptionfilevaultmacospasswordSecurity

I had set up FileVault 2 encryption while using long&strong user password, and later changed user password to a shorter one. At first time it seemed like everything is working as I expect: OS X asks for long password at power on (because this password was used to encrypt everything), and later I can unlock my gear with shorter password.

But today I noticed that I can use short password even after the system was powered down. This seems very suspicious! Why did it happen and how can I make sure that when powered off, the system is protected by the long password?

I'm using OS X Mavericks 10.9.4.

Best Answer

FileVault should use whatever is the current password for your account. When you change your user accounts password, FileVault will be updated with the new password.

We can get what you want — a long FileVault password and a short user account password — by creating two user accounts.

When you first enable FileVault, only the user account that you use to start FileVault will be setup to unlock FileVault. You can use the FileVault System Preferences to add other accounts to unlock FileVault by selecting the user an entering their password.

After FileVault has been enabled, any new users created will automatically allowed to unlocking FileVault.

To achieve your goal of having a very strong FileVault password and an easier to use User password we need to create a User with a strong password specifically to unlock FileVault, and remove all other users from FileVault.

Lets say you have enabled FileVault. Your current account is frank, and you have made frank's user password easy to type.

Now create a new user account betty with a strong password. betty will be automatically added to unlock FileVault, and the only purpose of this account will be for unlocking FileVault, we will not need to actually use the account for anything else.

From the command line, we can list the users who are setup to unlock FileVault:

$ sudo fdesetup list
betty,########-####-####-####-############
frank,########-####-####-####-############

Here the #'s are the UUID

The FileVault System preferences allow you to add accounts to unlock, but you need to use the command line to remove users from this list. Let's remove frank :

$ sudo fdesetup remove -user frank

And verify that worked:

$ sudo fdesetup list
betty,########-####-####-####-############

Now only betty can unlock FileVault. (Well of course, there is also the Recovery Key.)

If you ever add another new user account, you will need to remember to remove them from FileVault.

Also, if you want to make sure that betty is used only for unlocking disk (prevent login), you can disable its ability to login by changing its login shell to /usr/bin/false as described in this answer.

Edit to add:

Check out Using fdesetup with Mountain Lion’s FileVault 2 which provides much detail about the fdesetup command.

Best Answer

Related Solutions

MacOS – How to clear the kernel extension caches while using FileVault 2

MacOS – How to access a FileVault-encrypted home directory with forgotten password

Related Question