EFI Password and File Vault 2

Ambrosia7177 · Nov 15, 2016

Setting up my new 2015 rMBP and have some questions about security.

I thought that when you use File Vault 2, that it also encrypts the Recovery Partition so that you cannot boot up directly from it (i.e. Command + R).

Is this right or wrong?

bcave098 · Nov 15, 2016

Texas_Toast said:
Setting up my new 2015 rMBP and have some questions about security.

I thought that when you use File Vault 2, that it also encrypts the Recovery Partition so that you cannot boot up directly from it (i.e. Command + R).

Is this right or wrong?

No, the recovery partition cannot be encrypted, and being able to boot from it is necessary for using FileVault 2. A firmware password can prevent users from booting to any volume other than the selected startup volume (i.e. the recovery partition) without the password.

Ambrosia7177 · Nov 15, 2016

bcave098 said:
No, the recovery partition cannot be encrypted, and being able to boot from it is necessary for using FileVault 2. A firmware password can prevent users from booting to any volume other than the selected startup volume (i.e. the recovery partition).

I know that File Vault uses the Recovery Partition to boot, but thought that once you turned on FV, that you couldn't do a Command+R.
[doublepost=1479246654][/doublepost]So when I set up my new Mac, at what point should I add an EFI password? And at what point should I turn on File Vault 2?

DeltaMac · Nov 15, 2016

The EFi, or firmware password prevents booting to other devices or partitions, including the recovery partition.
It is independent of FV - can be enabled with or without FV, but is a good step if you have a need for that additional security of the firmware password.
Personally, I do not use both on the same system, and prefer to not enable the EFI password at all.

bcave098 · Nov 15, 2016

Texas_Toast said:
I know that File Vault uses the Recovery Partition to boot, but thought that once you turned on FV, that you couldn't do a Command+R.
[doublepost=1479246654][/doublepost]So when I set up my new Mac, at what point should I add an EFI password? And at what point should I turn on File Vault 2?

The recovery partition is used for the Reset Password Assistant and to re-install macOS if there's an issue. The FileVault password is always required to access the data on the volume. You can use a firmware password if you're concerned about being able to boot into recovery.

Ambrosia7177 · Nov 15, 2016

bcave098 said:
The recovery partition is used for the Reset Password Assistant and to re-install macOS if there's an issue. The FileVault password is always required to access the data on the volume. You can use a firmware password if you're concerned about being able to boot into recovery.

So I can do them in either order?

bcave098 · Nov 15, 2016

Texas_Toast said:
So I can do them in either order?

Yes. You can use neither, one, or both. Just remember if you forget the firmware password, you have to take the computer (and its receipt) to Apple to remove it.

Ambrosia7177 · Nov 15, 2016

bcave098 said:
Yes. You can use neither, one, or both.

But does it matter which order I install them in?

bcave098 said:
Just remember if you forget the firmware password, you have to take the computer (and its receipt) to Apple to remove it.

Right.

bcave098 · Nov 15, 2016

Texas_Toast said:
But does it matter which order I install them in?

No

Ambrosia7177 · Nov 15, 2016

bcave098 said:
No

Okay, thanks!

Search

Search

EFI Password and File Vault 2

Ambrosia7177

macrumors 68020

bcave098

macrumors 6502a

Ambrosia7177

macrumors 68020

DeltaMac

macrumors G5

bcave098

macrumors 6502a

Ambrosia7177

macrumors 68020

bcave098

macrumors 6502a

Ambrosia7177

macrumors 68020

bcave098

macrumors 6502a

Ambrosia7177

macrumors 68020

Our Staff