Remove a User's Ability to Unlock FileVault 2 with their User Password

Sunday, January 11, 2015

I have used FileVault 2 since OS X Lion without issue and it has worked as expected. With FileVault 2 enabled, before I can login with my user password, I have to first unlock the hard drive using the disk encryption password I previously set.

However, I have noticed if you add a new user, regardless if it is another Administrator or Standard account, that new user will be allowed to unlock the hard drive with their user password or the disk encryption password. I don’t like that this is the default behavior but I can understand why it is. The computer administrator probably does not want to give new user’s the disk encryption password, so by default, new users simply need to know their own user password to unlock the hard drive. This is a feature that is purely for convience instead of security. The disk encryption password is likely much more secure than the new user’s password.

If you open System Preferences, click Security & Privacy, and go to the FileVault tab there is a hidden button called Enable Users that will only appear if there are users who do not have the ability to unlock the hard drive with their user password. If this button is present, the computer administrator has the ability to enable those users to unlock the hard drive with their user password (those users must enter their user password to enable this feature). However, oddly enough, what you cannot do is revoke that ability from the GUI. Luckily, Apple provides the fdesetup command to do just this.

If you want to remove a user’s ability to unlock the hard drive with their user password and require them to first use the disk encryption password, open Terminal and run the following command:

sudo fdesetup remove -user $USER

If you have a bunch of users you want to remove this ability from, you will have to run the above command for every one of those users.

For much more detail into using the fdesetup command, check out Der Flounder’s post on Managing Mavericks’ FileVault 2 with fdesetup.

comments powered by Disqus