I've opted for disk encryption during install of El Capitan (v10.11.6) on my Macbook Air.
Logged in from my admin account (not root), I added a new user to manage a second iTunes account (which I thoughtlessly created and tremendously complicated my iPhone-Macbook activities).
Amazingly, this user has been added to the first login screen after restart (see image). Logging in from this screen, I can bypass the disk encryption password, view the System and User directories, and run apps installed at the root level.
How can adding a new user bypass full Disk Encryption?
Best Answer
Normally, when you set up full-disk encryption on the startup volume, you use FileVault, which integrates the disk encryption with the user accounts, so any (enabled) user can start the OS and unlock the disk. It appears that what you've done is encrypt the startup volume some other way, giving it a disk password rather than integrating with the user accounts. But when you create a new user account, it goes ahead and sets that account up FileVault-style, giving it the ability to unlock the disk at startup.
Not what you wanted? You can remove that user from the unlock list with the
fdesetup
command:where userToDisable is the new user's account name (aka short name). Note that
sudo
will prompt for your admin password, and it won't echo as you type.