EFI Password and File Vault 2

Discussion in 'Mac Basics and Help' started by Texas_Toast, Nov 15, 2016.

  1. Texas_Toast macrumors 6502a

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #1
    Setting up my new 2015 rMBP and have some questions about security.

    I thought that when you use File Vault 2, that it also encrypts the Recovery Partition so that you cannot boot up directly from it (i.e. Command + R).

    Is this right or wrong?
     
  2. bcave098, Nov 15, 2016
    Last edited: Nov 15, 2016

    bcave098 macrumors 6502

    bcave098

    Joined:
    Sep 6, 2015
    Location:
    Northern British Columbia
    #2
    No, the recovery partition cannot be encrypted, and being able to boot from it is necessary for using FileVault 2. A firmware password can prevent users from booting to any volume other than the selected startup volume (i.e. the recovery partition) without the password.
     
  3. Texas_Toast thread starter macrumors 6502a

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #3
    I know that File Vault uses the Recovery Partition to boot, but thought that once you turned on FV, that you couldn't do a Command+R.
    --- Post Merged, Nov 15, 2016 ---
    So when I set up my new Mac, at what point should I add an EFI password? And at what point should I turn on File Vault 2?
     
  4. DeltaMac macrumors 604

    DeltaMac

    Joined:
    Jul 30, 2003
    Location:
    Delaware
    #4
    The EFi, or firmware password prevents booting to other devices or partitions, including the recovery partition.
    It is independent of FV - can be enabled with or without FV, but is a good step if you have a need for that additional security of the firmware password.
    Personally, I do not use both on the same system, and prefer to not enable the EFI password at all.
     
  5. bcave098 macrumors 6502

    bcave098

    Joined:
    Sep 6, 2015
    Location:
    Northern British Columbia
    #5
    The recovery partition is used for the Reset Password Assistant and to re-install macOS if there's an issue. The FileVault password is always required to access the data on the volume. You can use a firmware password if you're concerned about being able to boot into recovery.
     
  6. Texas_Toast thread starter macrumors 6502a

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #6
    So I can do them in either order?
     
  7. bcave098 macrumors 6502

    bcave098

    Joined:
    Sep 6, 2015
    Location:
    Northern British Columbia
    #7
    Yes. You can use neither, one, or both. Just remember if you forget the firmware password, you have to take the computer (and its receipt) to Apple to remove it.
     
  8. Texas_Toast thread starter macrumors 6502a

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #8
    But does it matter which order I install them in?


    Right.
     
  9. bcave098 macrumors 6502

    bcave098

    Joined:
    Sep 6, 2015
    Location:
    Northern British Columbia
    #9
    No
     
  10. Texas_Toast thread starter macrumors 6502a

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #10
    Okay, thanks!
     

Share This Page