How does FileVault work with Multiple User Accounts?

gpspad

macrumors 6502a
Original poster
Feb 4, 2014
588
19
I am setting up a 2012 Mac Mini with Mojave that will have 6 separate user accounts on it. One admin account and 5 standard user accounts. The machine will mostly be for web surfing and home work through google accounts, but probably mostly watching Youtube Video's :)

The computer has an 512GB SSD drive I installed and an old 1TB Spin HD inside I setup to backup via time machine. The TM backup will be encrypted as well as the external HD I have CCC backup to once a night.

Now that the backups are encrypted, I was toying with the idea of using File Vault, how would that work with multiple users sharing the computer?

Would it work?

Some of the children are small so, I am trying to make as few passwords come up as possible, just their mac passwords, they all have Apple ID's and various phones and iPads.

Any suggestions on setting up a family computer with multiple users would be apprectiated?
 

gpspad

macrumors 6502a
Original poster
Feb 4, 2014
588
19
Will each person's data be encrypted separately?

or will each just have a key to open the one drive?

From reading their login password will decrypt the drive?

Just want to make sure, before I enable it, I have spent hours on this little mac setting up app id's to get it all ready to go, and this was my last concern :)
 

toru173

macrumors 6502
Apr 5, 2007
293
99
This article explains a little more about FileVault2 - at least on HFS+ volumes: https://eprint.iacr.org/2012/374.pdf. I understand APFS to be very similar.

My understanding is that there is a list of authorised users contained in an encrypted file on the recovery partition. When you boot, your Mac loads this and offers a password dialogue. If your password matches that on file in the list, and you're an authorised user, the EFI program then derives each sector's FileVault key from your password and the main FileVault volume key. It then uses this to unlock the drive and decrypt each sector on the fly.

Note that - once unlocked - a privileged user can read or write to anywhere on the disk. FileVault 2 does NOT defend against a malicious local user. If someone else has admin rights on your computer and is authorised to unlock the disk with FileVault 2, they can read your files. However, this capability is blocked be default; one user is not typically given visibility to other user's files unless they escalate their privileges.

For your use-case, I believe FileVault can't be enabled for non-admin users. I would probably advise against it if you wish to minimise password prompts, but you need to balance security and convenience and make sure you take regular backups and store your recovery key securely!
 

dsemf

macrumors 6502
Jul 26, 2014
344
73
When encryption is selected for the boot volume, a list of users is presented. The selected users are able to unlock the volume using their logon password. These can be admin or normal users. Other users have to use the disk unlock password and then their own logon password.

To see the authorized users is a 3 step terminal process.

Get the boot volume disk name, in this case disk1s1:
Code:
diskutil apfs list

...
    +-> Volume disk1s1 76B36FAF-9000-430B-B06B-2BCC35FBE5B9
    |   ---------------------------------------------------
    |   APFS Volume Disk (Role):   disk1s1 (No specific role)
    |   Name:                      Macintosh HD (Case-insensitive)
    |   Mount Point:               /
    |   Capacity Consumed:         217703055360 B (217.7 GB)
    |   FileVault:                 Yes (Unlocked)
...
Get the authorized users. In this case there is an admin user, two normal users and a local recovery pseudo user since I did not use iCloud recovery.
Code:
diskutil apfs listKeys disk1s1

Cryptographic users for disk1s1 (4 found)
|
+-- DD53237D-A30B-4773-A9DE-A7114D32CA61
|   Type: Local Open Directory User
|
+-- F59F286A-C606-487F-8994-3F30DF04782D
|   Type: Local Open Directory User
|
+-- EB072D7F-FA34-43AA-BDD1-983DE43A6350
|   Type: Local Open Directory User
|
+-- EBC6C064-0000-11AA-AA11-00306543ECAC
    Type: Personal Recovery User
Match the UUIDs to actual users:
Code:
dscl . read /Users/xxx | grep UID

GeneratedUID: F59F286A-C606-487F-8994-3F30DF04782D
Based on this information, user xxx can unlock the Macintosh HD boot volume during logon.

I am not aware of a method to add additional users after the fact. The easiest method is to disable encryption, wait for it to finish and then enable again selecting the appropriate users.

DS
 

Honza1

macrumors 6502
Nov 30, 2013
437
145
US
I am not aware of a method to add additional users after the fact. The easiest method is to disable encryption, wait for it to finish and then enable again selecting the appropriate users.
DS
This seems incorrect to me. I had no issues adding another user to system with FV2 encrypted drive and the user was able to unlock the drive. Of course, only admin can add new user, but I have done that on FV2 systems and the user login worked same as those of users which were on the system before encryption.
Basically, FV2 is completely transparent for users, if user is authorized to unlock the drive, they have same access and privileges as if the drive was unencrypted. In order to see other user's files, regular user has to elevate their privileges by use of admin credentials. But that is same on unencrypted disks. But all of the drive is principally accessible to local user with enough privileges.
 

dsemf

macrumors 6502
Jul 26, 2014
344
73
This seems incorrect to me. I had no issues adding another user to system with FV2 encrypted drive and the user was able to unlock the drive. Of course, only admin can add new user, but I have done that on FV2 systems and the user login worked same as those of users which were on the system before encryption.
Basically, FV2 is completely transparent for users, if user is authorized to unlock the drive, they have same access and privileges as if the drive was unencrypted. In order to see other user's files, regular user has to elevate their privileges by use of admin credentials. But that is same on unencrypted disks. But all of the drive is principally accessible to local user with enough privileges.
Thanks for the feedback. You are correct. Maybe it was the HFS+ Core Storage version of FV that had the added user issue.

DS