When I installed macOS I was able to do it on a newly formatted and APFS encrypted disk.
That worked fine.
Then installation went forward and on reboot I was asked for a DISK PASSWORD.
Installation rebooted a couple of times and disk password was prompted each time.
Until you add a user. Then that user password will basically automatically be able to read the decryption key it seems which is really NON ACCEPTABLE in a non-infiltrated Apple.
The original key should be the only key capable of decrypting the disk and that key should not be stored anywhere on the system.
Nonetheless, I proceeded to create a secondary user which will be able to decrypt as well and I revoked the first users ability to unlock FileVault because I wish to minimize the original exposure of the password I type 5000 times a day.
The disk decryption password should really only be entered once. When the system starts.
How do I prevent a full login from the FileVault enabled user? Is
there way to have the account password be entered once and then never
fully logged in?
Side questions:
-
How did the disk password (in diskutil) become accessible from any user added to the system? For system to be able to do that, the original decryption key which is in my memory only, has to be encrypted with a user password, and then when the user provides a password it is decrypted and used to open the disk. Meaning the password is on disk in one way or the other once the disk is unlocked.
-
When I add a new user, that original password which might be in memory or disk is encrypted again with user password and then decrypted to reveal real password which is used to disk unlock.
-
Would it not be better if Apple just allowed DISK access? Why introduce this vulnerability which allows you to access main disk just by introducing a new user to the system? When creating a new user, apple is accessing the clear text disk password and encrypting it again. That's a problem since it must be that Apple is able to read the decryption key while system is running, and really allows anyone the ability to who gains access to any user on the system capable of adding users to grant disk access.
-
Is Apple here actually storing the original disk password in clear text in memory/disk or in some encrypted form with decryption key readily available when a new user is to be added?
Anyway. Main question is how to prevent full login.
Best Answer
I can answer this question myself out of accident which I somehow was able to even retrace what I did.
To prevent a login you do this:
Add a new user, preferably a non admin user, and enter that password for that user which you wish to use as a filevault password.
Revoke all other users right to use filevault using:
sudo fdesetup remove -user "username"from terminal. Note, do keep the user you just created. In fact you can not remove that user. One user must be on the filevault user list.Go into the user settings again. And reset the password for the user just created. That will through I guess a bug, in my case feature, only change the password and not the filevault user.
Now, restart computer. When you are prompted for the fielvault password it is the old and not the resetted password. This will unlock disk, but since the password is wrong for login, system won't be able to login user. Press esc and login your user.
You are welcome.