I performed a fresh install of macOS Sierra onto a 2012 MBP13 non-Retina SSD. The install was from a USB flashdrive installer, and I set up the system drive partitions manually with a case-sensitive encrypted system volume, a FAT partition that I later installed Windows on, and a case-insensitive unencrypted volume for Steam data (Steam doesn't work for some reason, but that's another question!)
Partition map while MacOS is running:
aluminum:Downloads dhm$ diskutil list
/dev/disk0 (internal, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *500.1 GB disk0
1: EFI EFI 209.7 MB disk0s1
2: Apple_CoreStorage Aluminum 319.8 GB disk0s2
3: Apple_Boot Recovery HD 650.0 MB disk0s3
4: Microsoft Basic Data BOOTCAMP 146.3 GB disk0s4
5: Apple_HFS Steam 32.9 GB disk0s5
/dev/disk1 (internal, virtual):
#: TYPE NAME SIZE IDENTIFIER
0: Apple_HFS Aluminum +319.5 GB disk1
Logical Volume on disk0s2
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Unlocked Encrypted
During MacOS installation, I created a user account. Then afterward, I created two more. Now, when I reboot, I can choose MacOS or Windows (no recovery option). When I boot MacOS, I get a chooser that offers "Enter Disk Password," "User 2" and "User 3" (No choice to log into the account I made during installation.)
If I enter the disk password, then I get "User 1," "User 2" and "User 3," and everything works as expected. If I don't enter the disk password and just log in as "User 2" or "User 3," I get a desktop but things don't work right (lots of "Please fix the library" messages.)
My questions:
-
Why can I log in as "User 2" or "User 3" even without entering the disk password? (I would expect all the system-partition information to be encrypted, but it looks like there's at least some unencrypted information lying around.)
-
What's the difference between this setup and the alternative "Do a normal, unencrypted install, then turn on FileVault?"
-
Where can I read more about the various methods macOS uses to support multiple partitions, encrypted partitions, logical volumes & so forth?
Best Answer
Not sure what the "please fix the library" message means but all of your data is encrypted on the boot partition. You can use a disk password, recovery key or allowed user passwords to unlock a FileVault disk.
When you do it the "normal way" as you mentioned above you won't end up with a disk password. No big deal.
It sounds like User 1 isn't allowed to unlock the disk in this case. You can use the fdesetup command for things like this. For example, to see which users are allowed to unlock the disk:
While logged in as any user you can look in System Preferences > Security & Privacy > FileVault and if some users aren't allowed to unlock the disk there will be a warning with a button to enable users.
You can also use fdesetup to add users to the list, assuming you know their password: