I have enabled File Vault in Lion on a shared computer with several user accounts. Is it possible to encrypt each user home directory such that other users cannot access their data? As it stands, I can go on the terminal and (using sudo) access all the files in all accounts. I'd like to be able to prevent this.
MacOS – Protect each user account in Lion
macosrootSecurity
Related Question
- MacOS – Can an Open Directory (10.8) user’s home directory be changed from the terminal
- MacOS – How to prohibit network users from accessing other user’s home folders using Server permissions
- MacOS – Deleting a network user profile from computer
- MacOS – Preventing access to mounted volumes for non-admin users
- MacOS – How to encrypt the home folder
- ICloud – Multi user mac and iCloud data security
- macos snow-leopard filevault encryption – FileVault for /Users/[user] Folders in Snow Leopard
- MacOS – Apple network share – how to restrict access for user or staff group
Best Answer
It's easier to just have each user store their private information in encrypted disk images since the old Filevault (1) method of encrypting the entire home folder isn't something you can set up on Lion with easy tools.
Lion does still support it, so you could migrate in a shell system that had the necessary accounts set up to use file vault, then encrypt the drive and finally move in the files from a backup external drive and presumably have both the legacy filevault storage scheme as well as the new scheme where the entire disk is unavailable until the drive password is entered.
Keep in mind - root (and any admin user that knows sudo) has total control of the system and can delete, remove any protection that was set by root. Using encryption with a distinct password is the only method to prevent root from actually making sense of the files it can easily access.