While messing around a 15" early 2008 MBP in installing a new Mac OS X v10.11.x/El Capitan OS from a 64 GB PNY USB flash drive into its old
original HDD, I noticed different results when encrypting its internal
old HDD:
1. Encrypt (FileVault -- took a couple hours) after installing and
updating Mac OS X v10.11.5 from an USB flash drive into a reformatted
HDD with case sensitive journaled Mac OS FS. Mac OS X even told me to
save a recovery key (used local, not cloud). Booting up MBP shows Mac OS
X's user accounts login screen.
2. Encrypt while formatting a non-case sensitive journal Mac OS FS (took
like a minute) before installing Mac OS X v10.11.6 (redownloaded and
remade my bootable USB installer). Booting up the HDD show disk password instead of Mac OS X's login screen. Mac OS X says FileVault is enabled.
Mac OS X never told me to save a recovery key.
Why the different results between these two encrypted disk orders if FileVault's encryption is used? Thank you in advance. :)
Ant <ant@zimage.comANT> wrote:
While messing around a 15" early 2008 MBP in installing a new Mac
OS X v10.11.x/El Capitan OS from a 64 GB PNY USB flash drive into
its old original internal HDD, I noticed different results when
encrypting its internal old HDD:
1. Encrypt (FileVault -- took a couple hours) after installing and
updating Mac OS X v10.11.5 from an USB flash drive into a
reformatted HDD with case sensitive journaled Mac OS FS. Mac OS X
even told me to save a recovery key (used local, not cloud).
Booting up MBP shows Mac OS X's user accounts login screen.
2. Encrypt while formatting a non-case sensitive journal Mac OS FS
(took like a minute) before installing Mac OS X v10.11.6
(redownloaded and remade my bootable USB installer). Booting up the
HDD show disk password instead of Mac OS X's login screen. Mac OS X
says FileVault is enabled. Mac OS X never told me to save a
recovery key.
Why the different results between these two encrypted disk orders
if FileVault's encryption is used? Thank you in advance. :)
In the second case you've used the method typically used with an
external drive, not the startup drive. The normal method for the
startup drive is to turn on FileVault in System Preferences, after
installing the OS.
For a single-user computer it doesn't make a huge difference, but
there is an important difference for a multi-user computer.
Method 1 (FileVault) allows you to have multiple accounts able to
unlock the disk, using just the account password. As you noted, the
login screen appears early in the startup sequence, and entering your password there both unlocks the drive and logs in to your account
(which actually happens after the OS has finished loading, but the
normal login screen at that point is suppressed). Each user can
independently change their account password without affecting the
ability of other accounts to unlock the disk.
With FileVault it is also possible to set things up so non-admin
users are able to log in, but NOT unlock the disk. They need to get
an admin user to log in at startup to unlock the disk, after which
the admin can log out and any user can log in. You can't use
auto-login with a FileVault volume, because the password is required
to unlock the disk.
FileVault can only be set up on the startup disk, not other external
disks.
Method 2 (encrypted disk created with Disk Utility or encryption
enabled in Finder) sets a single disk password. That password needs
to be known by everyone who needs to be able to unlock the disk. If
used on a startup disk, the password needs to be entered before the
disk can be mounted at startup, so there is an additional password
prompt (unlock disk, then log in) unless you use auto-login.
If you change the disk password, you need to tell all users the new
password.
For non-startup disks, it is possible to store the disk password in
your keychain, so you don't need to enter it each time the disk is
mounted. The system doesn't offer to store the password in the
keychain when encryption is first set up, but it does when you next
mount the disk.
In both cases, the underlying encryption mechanism is identical
(using AES, with a symmetric encryption/decryption key). The only
difference is how the decryption key is stored and accessed. The key
is stored on the volume but is encrypted (using a one-way encryption
method) with the disk password for a manually encrypted disk, or
multiple copies encrypted with each account password and recovery key
for FileVault.
That means the weakest password is the weakest link for decrypting
the drive. For FileVault, all account passwords must be "strong
enough" or someone stealing the drive or computer could guess one of
them and decrypt the drive.
On 2/25/2017 6:58 PM, David Empson wrote:
Ant <ant@zimage.comANT> wrote:
While messing around a 15" early 2008 MBP in installing a new Mac
OS X v10.11.x/El Capitan OS from a 64 GB PNY USB flash drive into
its old original internal HDD, I noticed different results when
encrypting its internal old HDD:
1. Encrypt (FileVault -- took a couple hours) after installing and
updating Mac OS X v10.11.5 from an USB flash drive into a
reformatted HDD with case sensitive journaled Mac OS FS. Mac OS X
even told me to save a recovery key (used local, not cloud).
Booting up MBP shows Mac OS X's user accounts login screen.
2. Encrypt while formatting a non-case sensitive journal Mac OS FS
(took like a minute) before installing Mac OS X v10.11.6
(redownloaded and remade my bootable USB installer). Booting up the
HDD show disk password instead of Mac OS X's login screen. Mac OS X
says FileVault is enabled. Mac OS X never told me to save a
recovery key.
Why the different results between these two encrypted disk orders
if FileVault's encryption is used? Thank you in advance. :)
In the second case you've used the method typically used with an
external drive, not the startup drive. The normal method for the
startup drive is to turn on FileVault in System Preferences, after installing the OS.
Ah. I did it during it format because it takes forever to encrypt.
I was assuming it was using FileVault's method which I did see it was
enabled after installing and rebooting.
For a single-user computer it doesn't make a huge difference, but
there is an important difference for a multi-user computer.
OK, I noticed that before and after doing a long encrypted Time Machine restore for kicks with admin, standard, and guest accounts.
Method 1 (FileVault) allows you to have multiple accounts able to
unlock the disk, using just the account password.
Method 2 (encrypted disk created with Disk Utility or encryption
enabled in Finder) sets a single disk password. That password needs
to be known by everyone who needs to be able to unlock the disk. If
used on a startup disk, the password needs to be entered before the
disk can be mounted at startup, so there is an additional password
prompt (unlock disk, then log in) unless you use auto-login.
I noticed non-admin accounts can be granted to unlock disk. My brand new admin account doesn't even show up. I do see a "Disk Unlock" account which was made when I formatted the drive as encrypted Mac OS FS yesterday with
the USB installer.
If you change the disk password, you need to tell all users the new password.
Wait, where is this change disk password? I don't see it in both Mac OS
X's user accounts and Disk Utility. I assume it can be removed too? Or
does that require a reformat?
For non-startup disks, it is possible to store the disk password in
your keychain, so you don't need to enter it each time the disk is
mounted. The system doesn't offer to store the password in the
keychain when encryption is first set up, but it does when you next
mount the disk.
I have used external non-startup and startup drives with their Mac OS encryptions. I didn't use their keychains though.
In both cases, the underlying encryption mechanism is identical
(using AES, with a symmetric encryption/decryption key). The only difference is how the decryption key is stored and accessed. The key
is stored on the volume but is encrypted (using a one-way encryption method) with the disk password for a manually encrypted disk, or
multiple copies encrypted with each account password and recovery key
for FileVault.
That means the weakest password is the weakest link for decrypting
the drive. For FileVault, all account passwords must be "strong
enough" or someone stealing the drive or computer could guess one of
them and decrypt the drive.
OK amd thanks. :)
So wait, FileVault is not encrypting the whole drive but formatted
encrypted drive is?
If so, then what exactly is FileVault not encrypting then?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 307 |
Nodes: | 16 (2 / 14) |
Uptime: | 62:00:18 |
Calls: | 6,915 |
Files: | 12,379 |
Messages: | 5,431,371 |