2

This question really stems from the fact that I'm perhaps unfamiliar with the true function of FileVault. As far as I can tell, there's a way to force a pre-boot login screen... which means that, by default, FileVault logs in automatically at boot? Otherwise, the OS wouldn't be able to start.

So if FileVault automatically logs in to start the OS, does the encryption serve any function at all? I created a standard User to test this and was able to view all my files without entering any Administrator password – the only files I couldn't see were due to not having permission to view files from other users (which is standard protocol regardless of encryption, if I'm not mistaken).

Can anyone explain the function of FileVault to me? I'm starting to wonder if I'm using it to serve a purpose it wasn't intended to serve.

(For reference, I'm running macOS High Sierra)

Sllew
  • 43

1 Answers1

1

FileVault2 is full-disk encryption. At pre-boot you can enter the recovery partition or boot from another disk, but not your FV disk without the decryption key (derived from your password). A firmware password takes care of being able to get into recovery or other boot disks, by the way.

The usefulness of FV is, if someone gets ahold of your data, it's useless without that decryption key, in this case coming from your password. Now once the disk itself is unlocked, there are accounts on that disk and each one may have stronger or weaker security, but it's a different layer now. Kind of like breaking into a bank with multiple doors; the firmware is one door, the file vault is another door, then you reach the user's doors.

Hope that helps.

Harv
  • 6,520
  • That's helpful, but one of my questions isn't answered. You say that I can't boot to FV disk without the description key, but the operating system has started and got all the way to the login screen before I enter the password. The operating system is part of the encrypted disk, right? How does it get decrypted before the password is entered? – Sllew Dec 07 '17 at 20:52
  • Yeah, then something's wrong, because you should get two login screens. Check if FileVault is enabled, has encrypted your disk, and you have a password set. You can see all that from the security control panel. – Harv Dec 07 '17 at 20:57
  • 1
    Oh, your question also mentioned "EFI auto-login". What is that? Do you mean account auto-login? – Harv Dec 07 '17 at 20:59
  • All the websites I was reading were old and showed a grey pre-boot login, then a colorful os login screen. With a little more searching I found this, the answer to which says "In the later versions of macOS it is difficult to distinguish the pre-boot unlock screen ... from the login screen." I think that I was mistaken all along, that I was seeing the preboot login but thought the OS had started. – Sllew Dec 07 '17 at 21:17
  • 1
    Yeah, they look more or less the same. Are you entering your password once, or twice? Or password once and TouchID after that? And I'm assuming you still have two accounts set up? – Harv Dec 07 '17 at 21:18
  • I am entering just one password just once. I used "sudo fdesetup remove -user temp" to disallow the temp user password from decrypting the disk, and now on boot only my admin user is visible. After logging in to the admin user, I'm able to log out and switch users to temp. This leads me to think it decrypts the disk and logs me in at the same time because they're the same password. Is this not normal? – Sllew Dec 07 '17 at 21:24
  • 1
    Yes, that's normal. IIRC it used to be that you actually had to enter your password twice, but that either was due to something I was doing or has since been changed. – Harv Dec 07 '17 at 21:27