encryptionfilevaultmacos
I thought I had enabled full volume encryption on my OS X 10.9.5 MBP. Then I created a new user and when rebooting, this new user is able to log in without knowing the password for the disk.
The start up screen is presented with the new user to the left and the normal "Unlock disk" (or something like that) icon to the right – if I want to log in with my normal admin account, I first have to unlock the disk and then my user becomes visible.
What gives?
This is a bug in Filevault2.
I'm German as well. :) What happens here is that the keyboard is reset to the US keyboard layout. As the keys are changed - especially non alphabetic keys - you're probably typing a different password.
You can enable to show the input method in System Preferences > User & Groups > Login Options. Then change it to German upon reboot.
Two days after I added this answer, Apple published a technical white paper: Best Practices for Deploying FileVault 2 – Deploying OS X Full Disk Encryption Technology (PDF). At a glance, some of what I describe below seems to be described by Apple as:
At step 4 above, use a method that preserves the Apple_Boot slice (sometimes named Boot OS X, sometimes named Recovery HD) whilst restoring the JHFS+ startup volume.
To validate this answer, I used Disk Utility for that step. (I'm less familiar with restoration capabilities of Time Machine.)
The resulting EfiLoginUI:
As Disk Password has an avatar/icon, it's clear that Apple considers scenarios such as this.
Users may change their login passwords. The phrase for Disk Password will remain unchanged.
You need not use the FileVault areas of System Preferences but if you do, most things work as expected.
The machine pictured above is perfectly clean, restored from a Mountain Lion template that I created following installation of the OS (at the Welcome screen I shut down, then used Disk Utility to image all partitions/slices of the disk). I proceeded to create a user, then enabled that user for FileVault:
The resulting EfiLoginUI – one named user alongside the Disk Password option:
System Preferences in Build 12A269 of OS X 10.8 may state that FileVault is enabled, with a recovery key set, when the key is no longer applicable. (Assume that an erased volume, with a possibly different passphrase, will not accept a recovery key that was set before erasure. A more definite opinion may be drawn from Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption (2012).) I have reported bugs to Apple.
Photographs above are of the USB flash drive that I used to validate this answer.
Photographs below are of the internal drive that I use every day.
EfiLoginUI – two named users enabled for FileVault, the Disk Password option, and the Guest User:
loginwindow – all named users:
Best Answer
From Apple KB - Use FileVault to encrypt the startup disk on your Mac
Emphasis mine...