Allow Unlocking, Prevent Decryption

Discussion in 'Mac Basics and Help' started by doubledee, Jul 9, 2013.

  1. doubledee macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #1
    Still new to Full-Disk Encryption here, and wanted to know the following...

    Is it possible to set up FileVault 2 so that a given user is allowed to "unlock" the encrypted disk and thus use it, BUT prevent the same user from being able to "decrypt" the HDD?


    (In another thread located here I was trying to figure out exactly how encryption does and doesn't work, and for now, I have adopted the term "unlock" to denote gaining access to an encrypted HDD, and the terms "encrypt" and "decrypt" to denote the process of taking a HDD that is basically in plain-text and scrambling it up. Since I didn't get any replies on that thread, I'm not sure if I am using these terms correctly?!)


    I spent some time last night reading up on my question, and it appears - that via the Control Panel - Mountain Lion only offers a global solution of designating a user to have both "unlock" and "decrypt" power or no access to the FileVault 2 HDD?!

    As I tried to explain above, to me encryption entails two phases...

    1.) Encrypting the HDD so casual users/passersby cannot read its contents

    2.) Locking/Unlocking the HDD to gain access


    In my mind, these are really two separate concepts.

    (You might allow you child to have access to "unlock" your HDD, but that doesn't necessarily mean that you want to give them the ability to remove FileVault 2 from the HDD?!) :eek:


    My new MBP has one Admin account, and one Standard account.

    In an ideal world, I would like to set things up so only the Admin can turn FileVault 2 encryption on and off (i.e. encrypt and decrypt).

    But both users would obviously need the ability to "lock" and "unlock" the HDD so they can use it independently.

    Is that possible?

    Hope my question makes sense?!

    Sincerely,


    Debbie
     
  2. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #2
    Go to the advanced tab in this pref pane and check the box to require an admin PW to access locked pref panes.

    [​IMG]

    Now go to the Filevault pref pane area and make sure the lock on the lower left is locked. As you can see, with it locked the turn off FV option is greyed out and and cannot be accessed. If you click the unlock you will be asked for an admin PW.

    So with this setup a standard user can use the machine and access files in their user area without being able to turn off Filevault encryption.

    [​IMG]
     
  3. doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #3
    Thanks, Weaselboy, you are always so helpful!! :apple:

    (BTW, I assume that lock setting is reasonably secure and can't easily be bypassed, right?)

    Sincerely,


    Debbie
     
  4. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #4
    Only way around it is to enter the admin PW.
     
  5. doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #5
    BTW, when I encrypt my HDD, I assume that FileVault 2 encrypts all User Accounts in one fell swoop, right?

    So based on your advice above, I would set things up so only an Admin can turn on FileVault 2, but also allow both my Admin and my Standard accounts to "unlock" the HDD.

    Then when I encrypt my HDD as an Admin, *all* account and *everything* on my HDD would be protected, right?

    Sincerely,


    Debbie
     
  6. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #6
    Yes, exactly. It is not just user accounts that are protected/encrypted... the entire disk is.
     
  7. doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #7
    Okay, I think just about everything is in place, and I can finally install my MBP Factory Clone on my new HDD tonight, and finally get my new cMBP built!!

    Thanks for your help!!


    Debbie
     

Share This Page