10 Things You Might Not Know About FileVault 2
- Password Changes and FileVault 2
- The Guest User and FileVault 2
- Enabling Admin Users for FileVault 2 via System Preferences
- Creating an Institutional Recovery Key
- Erasing a FileVault 2?Encrypted Volume from the Command Line
- Setting a Text-Only Login Banner from the Command Line for the FileVault 2 Pre-Boot Login Screen
- Booting into Single-User Mode on a FileVault 2?Encrypted Mac
- Using Apple's Internet Recovery to Unlock or Decrypt a FileVault 2?Encrypted Boot Drive
- FileVault 2 and UUIDs
- Automating fdesetup authrestart in 10.9.x or Later
In his Worldwide Developers Conference 2011 keynote address, Steve Jobs briefly mentioned that Apple had revamped its FileVault encryption solution for Mac OS X 10.7.x, changing it from encryption that primarily protected the account's home folder to encryption that protects the whole boot volume. Since that initial announcement, FileVault 2 has evolved into an encryption solution that can be managed easily by both home users and enterprises.
Of course, nearly every technology solution has details that aren't generally well known, and FileVault 2 is no different in that regard. To help Mac admins who are managing FileVault 2, I've put together a list of 10 things I've run across in my work with FileVault 2 that I've either been asked about frequently or that seem to be completely undocumented by Apple.
Password Changes and FileVault 2
FileVault 2 has a nifty password-update procedure for its enabled accounts (that is, the accounts that show up at the pre-boot login screen). If you change your account's password, the OS will automatically and invisibly update your FileVault 2 pre-boot login. This design helps to ensure that your account is consistently using the same password across the board. For local accounts, the password update is triggered when changing the local account's password via the Users & Groups preference pane in System Preferences.
If a FileVault 2–enabled account is an Active Directory or Open Directory mobile account (where the account's password is being managed by the Active Directory or Open Directory service), it's possible to change the password for an account without being noticed by the OS. For example, many worksites have a policy that passwords must change on a scheduled interval, and they provide a website for making such changes. If an encrypted Mac was offline when the password was changed, the Mac might not receive that password change until the next startup.
In such a case, here's how the password update process should work:
- You change your mobile account's password from outside your Mac.
You boot your encrypted Mac while connected to a network that allows connections between your Mac and the directory service that manages your account's password. The pre-boot login screen accepts the account's old password (see Figure 1).
The pre-boot login accepts the old password because the OS is not running at this point in the boot process, and the Mac is unable to communicate with the directory service that manages the account's password.
Figure 1 Logging in at the FileVault 2 pre-boot login with the old account password.
At the login window for your Mac, you type the account's new password (see Figure 2). Since the OS is running at this point, it can communicate with the directory service and learn that the account has a new password. Once the new password has been accepted, the OS will allow the login process to complete, and it will update the FileVault 2 pre-boot login to use the new password.
Figure 2 Logging in at the OS login window with the current account password.
After the new password has been accepted, the Mac should provide the option to update the login keychain's password (see Figure 3).
Once updated, the login keychain should use the account's new password as well.
Figure 3 Updating the account's login keychain.