I have FileVault enabled with two users:
- AdminGuy
- OtherGuy.
I want AdminGuy to:
- have the ability to unlock the HD, and therefore only he can enter a u/n + p/w at boot to start boot up
- have the ability to log in
- not be logged in automatically.
In other words: can AdminGuy just unlock the drive, but then have a login screen popup so OtherGuy could choose to login instead?
10.8.
Per @DeepanshuUtkarsh's link, this is the behavior I want to change:
The user account that unlocked the drive will be logged into their own
account after start up completes, without needing to log in again.If you want to make the Mac available to a user that does not have
unlock capabilities, log in, then when you see your own desktop,
choose "Log Out (user name)" from the Apple () menu. Also, you can
unlock the disk, then choose the other user's name from the Fast User
Switch (appears as the currently-logged in user's name) menubar item
in the upper-right part of the screen.
Best Answer
Encrypt the startup volume with Core Storage without FileVault
Two days after I added this answer, Apple published a technical white paper: Best Practices for Deploying FileVault 2 – Deploying OS X Full Disk Encryption Technology (PDF). At a glance, some of what I describe below seems to be described by Apple as:
Preparation
Hint
At step 4 above, use a method that preserves the Apple_Boot slice (sometimes named Boot OS X, sometimes named Recovery HD) whilst restoring the JHFS+ startup volume.
To validate this answer, I used Disk Utility for that step. (I'm less familiar with restoration capabilities of Time Machine.)
The resulting EfiLoginUI:
As Disk Password has an avatar/icon, it's clear that Apple considers scenarios such as this.
Normal use thereafter
Users may change their login passwords. The phrase for Disk Password will remain unchanged.
You need not use the FileVault areas of System Preferences but if you do, most things work as expected.
The machine pictured above is perfectly clean, restored from a Mountain Lion template that I created following installation of the OS (at the Welcome screen I shut down, then used Disk Utility to image all partitions/slices of the disk). I proceeded to create a user, then enabled that user for FileVault:
The resulting EfiLoginUI – one named user alongside the Disk Password option:
Appearance bug
System Preferences in Build 12A269 of OS X 10.8 may state that FileVault is enabled, with a recovery key set, when the key is no longer applicable. (Assume that an erased volume, with a possibly different passphrase, will not accept a recovery key that was set before erasure. A more definite opinion may be drawn from Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption (2012).) I have reported bugs to Apple.
Photographs above are of the USB flash drive that I used to validate this answer.
Photographs below are of the internal drive that I use every day.
EfiLoginUI – two named users enabled for FileVault, the Disk Password option, and the Guest User:
loginwindow – all named users: