Discreet way of login in ? Read inside for details of my question

Discussion in 'OS X El Capitan (10.11)' started by jdaniel, Jul 29, 2016.

  1. jdaniel macrumors 65816

    Joined:
    Mar 21, 2009
    Location:
    Ottawa, Canada
    #1
    Hi guys I need some help... I have posted about this a very long time ago and no one responded.

    As far as I understand it, there are 2 ways of login in.

    1. You see the icons and you pick your name and you enter your password, in this method you see all the users that are on the system, but your can encrypt your hdd.

    2. If you use discreet login, where you dont see icons, you have to enter your username and password. As far as I understand it you cannot encrypt your drive in this mode.

    I would like to login using method 2, but leave the drive encrypted. Solutions? I don't want people to be able to see the various users on the mac I would like my mac to be secure and encrypted ....

    THANKS !
     
  2. NoBoMac macrumors 6502a

    Joined:
    Jul 1, 2014
    #2
    Well, no responses since, I believe, pretty much can't do what you want.

    A workaround: create a dummy account solely for unlocking the disk drive, and have only that account be able to unlock the drive. Once machine is up and running, can sign-out, and have the machine configured to provide the text entry boxes for user-id/password.
     
  3. rshrugged macrumors 6502a

    Joined:
    Oct 11, 2015
    #3
  4. KALLT, Jul 30, 2016
    Last edited: Jul 30, 2016

    KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #4
    To supplement NoBoMacs suggestion with some improvements:
    • You can disable the automatic login after the FileVault unlock with the following command (which prevents the unnecessary login into the dummy account):
      Code:
      sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES
    • To restrict access to FileVault to the dummy account only, you can use this command to remove other users:
      Code:
      sudo fdesetup remove -user username
      You can get a list of users that are currently allowed to unlock FileVault with this:
      Code:
      sudo fdesetup list
    • You can hide the dummy account from the GUI completely with either of these commands:
      Code:
      sudo dscl . create /Users/dummyaccount IsHidden 1
      sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add dummyaccount
      

    Alternatively, you can get around FileVault entirely by simply turning your partition into an HFS+ (Journaled, Encrypted) partition (which is practically the same encryption scheme, just without the niceties of FileVault, such as the separate recovery key and the ability to unlock the drive per user). This will accordingly remove the EFI login behaviour entirely and resort to a simple unlocking process that requires your encryption key, rather than a password. You can do this with the following command:
    Code:
    sudo diskutil cs convert diskidentifier -passphrase yourencryptionkey
    You can find your disk identifier (‘BSD device node’) in Disk Utility or with diskutil list. You have to turn off FileVault before and let the decryption process finish, of course.
     
  5. jdaniel thread starter macrumors 65816

    Joined:
    Mar 21, 2009
    Location:
    Ottawa, Canada
    #5
    thanks guys lots to read will look through and post back with questions if any and most certainly updates
    --- Post Merged, Jul 31, 2016 ---
    ok first of all thanks, let me get this straight.. so once I am done decrypting... while the disk is in use and without losing any data or reformating.. I can with this command transform my disk which is now on OS X extended to HFS+ ?

    sudo diskutil cs convert diskidentifier -passphrase yourencryptionkey , so diskidentifier is the name of my HD or whatever that pops up using diskutil list and "yourencrytptionkey" what is that exactly the current password for my HD or password i want it to be which is essentially the same thing :)
     
  6. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #6
    Not quite! You are already using HFS+ (called ‘Mac OS Extended’ in Finder and Disk Utility). HFS+ has no encryption capabilities, so Apple created a wrapper for HFS+ that provides volume encryption in its stead: CoreStorage. When you enable FileVault, your system wraps your HFS+ partition in the CoreStorage format and encrypts the contents. It does this at runtime. You can access this functionality with the command I gave you. However, as you enabled FileVault already, your drive is presently an encrypted CoreStorage. One way to do this is to disable FileVault and wait for the decryption to be completed.

    When you type diskutil list into a Terminal window, you get a list of your disks and volumes. It looks like this:
    Code:
    /dev/disk0
       #:                       TYPE NAME                    SIZE       IDENTIFIER
       0:      GUID_partition_scheme                        *250.0 GB   disk0
       1:                        EFI EFI                     209.7 MB   disk0s1
       2:          Apple_CoreStorage                         249.2 GB   disk0s2
       3:                 Apple_Boot Boot OS X               650.0 MB   disk0s3
    /dev/disk1
       #:                       TYPE NAME                    SIZE       IDENTIFIER
       0:                  Apple_HFS Macintosh HD           *248.8 GB   disk1
    My main partition has the disk identifier disk0s2, currently a CoreStorage volume which contains the HFS+ volume called Macintosh HD (which has the identifier disk1). Normally, you do not have to reverse the entire process to re-encrypt the volume or change the passphrase, but the problem is, as I understood it, that FileVault never gives you the actual passphrase of the drive and you cannot perform diskutil cs decryptvolume or diskutil cs changevolumepassphrase without it.

    Maybe @Weaselboy knows more about this, but that is what I know.
     
  7. jdaniel thread starter macrumors 65816

    Joined:
    Mar 21, 2009
    Location:
    Ottawa, Canada
    #7
    ok great one more clarification I assume your response is as such bcoz there's HFS+ and HFS+ journaled and encrypted is that right? which are two diff things I just thought its one thing. they have changed the way capitan works you can no longer easily use disk utilities to see the various options. but whatever you are saying basically boils down to once FileVault is decrypted i can redo it using a non FileVault method that you have mentioned .. but I'm still not clear about this passphrase thing it seems you don't mean a new password or the current user password so what do u mean exactly?
     
  8. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #8
    FileVault has additional functionality that is optional to encrypted CoreStorage. When you enable FileVault, the system creates separate ‘passphrases’ for each user account (i.e. the account password) in addition to a recovery key (which is also a passphrase). Each of these passphrases decrypts the actual encryption key of the volume, which is unbeknownst to you. When you create an encrypted CoreStorage volume with diskutil however, you have to specify this passphrase yourself and it is not tied to your user account. You can choose whatever you want, you will need to use this passphrase whenever you boot your Mac. You can reuse your password, if you want, but you don’t have to.
     
  9. jdaniel thread starter macrumors 65816

    Joined:
    Mar 21, 2009
    Location:
    Ottawa, Canada
    #9
    right understood, I appreciate you taking the time to assist. It is now in the process of decrypting I shall post back. Once its done. Thanks
     
  10. jdaniel, Jul 31, 2016
    Last edited: Jul 31, 2016

    jdaniel thread starter macrumors 65816

    Joined:
    Mar 21, 2009
    Location:
    Ottawa, Canada
    #10
    This is the error message Im getting:
    Error converting disk to CoreStorage: The target disk is already in use by Core Storage (-69753) what does that mean... I am supposed to choose the one that is currently macintosh hd right?

    Ok so I restarted, and I had an issue it was going to a recovery disk utility screen... I did a disk repair and it restarted fine... I am gonna test again later with my TB display attached... now I ran the utility again and this is what I am getting:

    Started CoreStorage operation on disk0s2 Macintosh HD

    Resizing disk to fit Core Storage headers

    Creating Core Storage Logical Volume Group

    Reviewing boot support loaders

    Attempting to unmount disk0s2

    Switching disk0s2 to Core Storage

    Couldn't unmount disk0s2; converted volume won't appear until it's unmounted


    Finished CoreStorage operation on disk0s2 Macintosh HD

    Encryption in progress; use `diskutil coreStorage list` for status
     
  11. KALLT macrumors 601

    Joined:
    Sep 23, 2008
  12. jdaniel thread starter macrumors 65816

    Joined:
    Mar 21, 2009
    Location:
    Ottawa, Canada
    #12
    #: TYPE NAME SIZE IDENTIFIER

    0: GUID_partition_scheme *750.2 GB disk0

    1: EFI EFI 209.7 MB disk0s1

    2: Apple_CoreStorage Macintosh HD 749.3 GB disk0s2

    3: Apple_Boot Recovery HD 650.0 MB disk0s3

    /dev/disk1 (external, physical):

    #: TYPE NAME SIZE IDENTIFIER

    0: GUID_partition_scheme *1.0 TB disk1

    1: EFI EFI 209.7 MB disk1s1

    2: Apple_HFS HD 999.9 GB disk1s2

    JDs-MacBook-Pro:~ JD$

    And for:
    CoreStorage logical volume groups (1 found)

    |

    +-- Logical Volume Group 866A5471-4E85-44A4-8460-916E6A571285

    =========================================================

    Name: Macintosh HD

    Status: Offline

    Size: 0 B (0 B)

    Free Space: -none-

    |

    +-< Physical Volume 8932F78C-6882-4EAF-BB27-CC980D9FF5D9

    ----------------------------------------------------

    Index: 0

    Disk: disk0s2

    Status: Checking

    Size: 749296615424 B (749.3 GB)

    JDs-MacBook-Pro:~ JD$
    CoreStorage logical volume groups (1 found)

    |

    +-- Logical Volume Group 866A5471-4E85-44A4-8460-916E6A571285

    =========================================================

    Name: Macintosh HD

    Status: Offline

    Size: 0 B (0 B)

    Free Space: -none-

    |

    +-< Physical Volume 8932F78C-6882-4EAF-BB27-CC980D9FF5D9

    ----------------------------------------------------

    Index: 0

    Disk: disk0s2

    Status: Checking

    Size: 749296615424 B (749.3 GB)

    JDs-MacBook-Pro:~ JD$
    CoreStorage logical volume groups (1 found)

    |

    +-- Logical Volume Group 866A5471-4E85-44A4-8460-916E6A571285

    =========================================================

    Name: Macintosh HD

    Status: Offline

    Size: 0 B (0 B)

    Free Space: -none-

    |

    +-< Physical Volume 8932F78C-6882-4EAF-BB27-CC980D9FF5D9

    ----------------------------------------------------

    Index: 0

    Disk: disk0s2

    Status: Checking

    Size: 749296615424 B (749.3 GB)

    JDs-MacBook-Pro:~ JD$
    CoreStorage logical volume groups (1 found)

    |

    +-- Logical Volume Group 866A5471-4E85-44A4-8460-916E6A571285

    =========================================================

    Name: Macintosh HD

    Status: Offline

    Size: 0 B (0 B)

    Free Space: -none-

    |

    +-< Physical Volume 8932F78C-6882-4EAF-BB27-CC980D9FF5D9

    ----------------------------------------------------

    Index: 0

    Disk: disk0s2

    Status: Checking

    Size: 749296615424 B (749.3 GB)

    JDs-MacBook-Pro:~ JD$
     
  13. jdaniel thread starter macrumors 65816

    Joined:
    Mar 21, 2009
    Location:
    Ottawa, Canada
    #13
    so I think it's done it's work, but now when I login I have to log into the drive then I see my user log in? [​IMG]

    [​IMG]
     
  14. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #14
    Yes, that is the point of this. Unlocking the drive is now a separate step that requires your passphrase instead of one of your account passwords. Afterwards you have to login, but you are free to choose how the login screen looks.
     
  15. jdaniel thread starter macrumors 65816

    Joined:
    Mar 21, 2009
    Location:
    Ottawa, Canada
    #15
    right so if I want the drive protected and the login discreet like that there's no other way right ? btw thanks
     
  16. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #16
    No, there is no other way. It’s either FileVault in its full glory (and the workarounds I mentioned in my first post) or manual encryption using diskutil. Just make sure that you do not forget your passphrase. Making regular backups is definitely recommended.
     
  17. jdaniel thread starter macrumors 65816

    Joined:
    Mar 21, 2009
    Location:
    Ottawa, Canada
  18. LCPepper, Aug 4, 2016
    Last edited: Aug 4, 2016

    LCPepper macrumors 6502

    LCPepper

    Joined:
    Aug 5, 2013
    Location:
    United Kingdom
    #18
    Sorry to wade in here after so much effort has been spent.

    But I have full FileVault turned on and the "discreet" login enabled, and I didn't do anything other than go and enable FileVault in settings...

    As far as I am aware, the decryption passphrase is the password, so as long as one is entered that corresponds, then why would it make any difference to list or not, the usernames?

    The functioning is the same, just how it is presented to the GUI is changed if you think about it logically...

    I have accessed my MacBook Pro from another Mac over thunderbolt in the past, and had to just put in a password from one of my MBP's user accounts to get access through FileVault.

    Edit: adding more waffle.

    OKAY I SEE!

    OP meant in terms of the initial login at boot up.

    I just checked mine, and though when "logging off" after decryption/ user switching, you can enable the discreet login. But come from a fresh sesh, it doesn't use discreet methods!

    Apologies for the unnecessary inconvenience! I shall leave my original pontification as means of a dunce hat!

    Edit: stupidity
     
  19. ScoobyMcDoo macrumors 65816

    Joined:
    Nov 26, 2007
    Location:
    Austin, TX
    #19
    I'm gonna wade in late too just to point out that there are third party solutions that could be explored. My company uses Dell Data Protection for the PCs here. They have an OS X version also - I don't use it, but I know it exists. I read about it a bit and I think it said it encrypts each file separately rather than using a sparse bundle, so maybe you can get the behavior you want.
     
  20. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #20
    It is not a full-disk encryption though. FileVault used to be based on an encrypted sparse-bundle as well, but it proved to be unreliable and prone to security problems (the system still ‘leaks’ data outside of the user directory). Full-disk encryption is a more complete solution. That being said, it is of course possible to use additional methods, particularly data that might leave the system at one point.

    Some people like the added obscurity. It does not make much of a difference in terms of security though. Either the password is decent enough to fend off attacks, or it is not. It can certainly delay attacks if they have to figure out the usernames too, but the real protection comes from the password and if that’s decent, then the encryption is practically impossible to crack.
     
  21. jdaniel thread starter macrumors 65816

    Joined:
    Mar 21, 2009
    Location:
    Ottawa, Canada
    #21
    I'm basically trying to thwart *******s at customs who think it's ok to go through your computer this way I can just go into a dummy account, not that I have anything to hide, I just think it's offensive and invasive so they can go look at an empty account
     
  22. ScoobyMcDoo macrumors 65816

    Joined:
    Nov 26, 2007
    Location:
    Austin, TX
    #22
    Which country's customs logs into your account and peruses through your files? The closest I have ever come to that is TSA folks just powering it up to make sure it's really a computer.
     
  23. jdaniel thread starter macrumors 65816

    Joined:
    Mar 21, 2009
    Location:
    Ottawa, Canada
    #23
    they do though I've read about it Canada, US they look through your phones and computers even for citizens ... uggh
     
  24. jdaniel thread starter macrumors 65816

    Joined:
    Mar 21, 2009
    Location:
    Ottawa, Canada
    #24
    follow up question kallt, when I try to add a user it comes up as an icon right next to the disk password instead of being a discreet thing is there a way to make another user that's hidden like my main user?
     
  25. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #25
    I don’t understand what you mean. Adding a user to what and how? Where does this icon appear? Could you elaborate, or show a picture?
     

Share This Page