Which encryption model (single-key, per-file-key) does APFS use after 10.13 upgrade

Your making a test user account with a short name different than the eventual user to be migrated is sound.

In practice, you will in time over write more and more of the data, but if you have the time to first establish a file vault key and have the drive completely encrypted before copying any sensitive data, you have a more secure system and can know that the data can be sanitized cryptographically as opposed to being over-written or actually erased.

You'll want to look for these lines in the diskutil cs list output to know it's ready for the start of data migration:

|       Conversion Status:       Complete
|       High Level Queries:      Fully Secure
|       |                        Passphrase Required

I strongly advise to use full FileVault 2 encryption instead of using the FileVault 1 wannabe below!

You can mimic the FileVault 1 behavior either with an encrypted sparse bundle image or a second volume encrypted with FileVault 2. Two users are needed though and it's no elegant solution.

A proper backup of your OS X system volume before conducting one of the two how-tos below is strongly advised!

Example how-to with a sparse bundle image:

usera: admin user - usere: user with user folder which should be encrypted

• as usere create an encrypted sparse bundle image - large enough to hold all current and future usere content

• mount the image and create a folder with the name usere and modify it with chmod 744 ...

• log out as usere and log in as usera
• disable "Ignore Ownership on this volume" of the mounted sparse bundle image

• Open Terminal and enter

  su usere
  

• Now - as user usere - copy the content of the home folder of usere to /Volumes/name_of_sparsebundle_volume/usere:

  rsync -aAvX /Users/usere/ /Volumes/name_of_sparsebundle_volume/usere
  

• rename the old home folder of usere:

  mv /Users/usere /Users/userebackup
  

• exit usere - now you are usera again

• link /Volumes/name_of_sparsebundle_volume/usere to /Users:

  sudo ln -s /Volumes/name_of_sparsebundle_volume/usere /Users/usere
  

  You may have to modify the permissions of the soft link with sudo chown usere:staff /Users/usere and sudo chmod 744 /Users/usere.

• Now log out as usera and log in as usere
• Check if everything works

• If everything is fine, remove the folder /Users/userebackup:

  rm -Rd /Users/userebackup
  

Example how-to with FileVault 2:

The method is the same except that you have to encrypt an empty volume (right-click volume -> encrypt volume) instead of creating a sparse bundle image.

You can't log-in to usere directly because neither the encrypted sparse bundle image nor the FileVault 2 volume are mounted while the system boots. You either have to log-in as usera, mount the image/volume, log-out as usera & log-in as usere or you may log-in in console mode, mount and unlock the image/volume and log-in as usere. The latter is untested because I didn't get it to work in my VM.

According to Internet sources encrypted sparse bundle images are prone to (encryption) header corruption. Such a header corruption may render the image un-unlockable!