Using FileVault 2, when connecting a disk in target mode, the disk is locked and can only be unlocked by users authorised to do so. However, once it is unlocked, all contents are accessible to the User unlocking it. Is there a way to keep individual users' files encrypted, while making the 'general' part of the disk, and the files belonging to the user unlocking the disk accessible?
MacOS – FileVault & multiple admin users’ privacy
encryptionfilevaultmacos
Related Question
- MacOS – How to enable Time Machine encryption on the command line
- macos snow-leopard filevault encryption – FileVault for /Users/[user] Folders in Snow Leopard
- Mojave – Automount Encrypted Core Storage Volume on Mac 10.14.4+
- MacOS – FileVault – One account can unlock but preventing full login and forcing logout and login again with other user
- APFS Disk User – Add Multiple Crypto Users via Diskutil
- When and How FileVault Decrypts SSD on T2 Mac
Best Answer
In general, you can't keep any files from an administrative user that knows how to modify file permissions.
FileVault is to keep untrusted users out of the entire disk - so you cannot allow an admin user/password into the hands of someone you don't trust.
You can make individual disk images and encrypt them with passwords that are not shared and that will ensure that other Admin accounts cannot look at the files. They could copy the store somewhere else and try to brute force things, they could install keyboard monitoring software to hope to catch you typing the passphrase, but they can't get into each user's private store without another piece of information.
This was one benefit of the older FileVault implementation where each user had their own store / their own key and the risk of cross contamination of user files was lessened.