Latest in Filevault

Image credit:

Prevent certain accounts from unlocking FileVault 2

TJ Luoma , @tjluoma

FileVault 2 is a huge improvement over the original FileVault implementation, offering whole disk encryption with no noticeable performance penalty. The only downside is that every account on the computer (even "standard," non-administrator accounts) is given access to decrypt the drive. The good news is that you can control which accounts are allowed to decrypt the drive by removing the password to any account which should not be able to decrypt FileVault (Don't worry, it's only temporary.).

Temporary insecurity leads to increased security

My MacBook Air has 4 user accounts on it: for me, my wife, my son, and my mother-in-law (long story). My wife and I both use secure passwords, but my mother-in-law and son do not. If a chain is only as strong as the weakest link, I had 4 links, and 2 of them were pretty weak.

I could not find any way to control which accounts can decrypt FileVault, but I did learn that any account which does not have a password is automatically disqualified from decrypting FileVault. Even if you add a password back to that account, FileVault will be disabled for that account unless you specifically re-enable it.

I'll walk you through the steps. (Note: I recommend reading through all of the instructions before starting any of this.)

Step 1: Log in to the account that will not be able to unlock FileVault.

Step 2: Open /Applications/Utilities/

Yes, I know. You hate Terminal. But you have to use it because you can't remove your password via the GUI.

But you can delete it in Terminal. Just type passwd at the prompt. You will be asked for your "Old Password" (that is, your current password), and then you will be asked for a new password, twice. Enter your current password, then just press the Enter/Return key when asked for a "New Password" and "Retype New Password."

Once you do that, you will have an account with no password. Now we are ready to go to FileVault.

Open FileVault

Go to System Preferences » Security & Privacy » FileVault and you will see a new warning "Some users are not able to unlock the disk."

Click "Enable Users" (above) and then "Set Password..." (below)

and then you will see this:

Do not click "Enable User..." or this whole trip will have been for nothing.

Once you leave this window, if you click on the "Enable Users..." button while logged into an account which is not setup to unlock FileVault (but which does have a password set), it may be automatically enabled. Moral? Don't open that window unless you want to enable the account, or be ready to repeat this process.

You may want to set "Require an administrator password to access system preferences with lock icons" in the "General" tab under System Preferences » Security & Privacy.

"So how do I use that account?"

You may wonder how you can use that account. After all, when the computer reboots, there will be no option to choose that account, and any account you do choose will be automatically logged into after the computer starts up.

Start by choosing one of the available accounts to decrypt/unlock FileVault. This will begin the booting process. From there, you have a choice: either let the automatic login process complete and then log out (which will let you log in to the other account), or hold down the Shift key when you see the grey Apple logo which will prevent auto-login and leave you at the main login window.

FileVault 2 locks or unlocks the entire drive, be careful gets the 'keys'

I consider FileVault 2 an essential feature for any portable Mac. I also recommend separate accounts for every member of your household old enough to press keys on the keyboard (or, at the very least, a separate account for your important data and one for other family members). But if you don't want to risk the possibility that someone in your household thinks that one two three four five is a great password, consider only letting some accounts decrypt FileVault.

Finally, remember that whichever account you use after FileVault is decrypted, the drive will be encrypted again when you reboot or shutdown.

From around the web