Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Joseph C

macrumors 65816
Original poster
Feb 5, 2009
1,454
2,754
Tomorrow I have agreed to lend my machine to someone and multiple others may use it in the day. I have set it up with a Standard Account because I noticed that since I have FileVault enabled, the Guest Account is a Safari-only account which runs off the recovery partition.

Now, while I do trust the person I'm lending my machine to, I also want to maximise the security of my files whilst allowing them to use more than just Safari (E.g. Pages if they need to).

How vulnerable is my data to access, if a Standard (non-admin) account is logged in on a FileVault enabled Mac? It's a shame the individual accounts are not individually encrypted, but the whole disk at once (unless I am wrong).

Is there anything I can do (beyond having FileVault and a Firmware password enabled) to increase this security, just as a precaution?

Thanks.
 
Tomorrow I have agreed to lend my machine to someone and multiple others may use it in the day. I have set it up with a Standard Account because I noticed that since I have FileVault enabled, the Guest Account is a Safari-only account which runs off the recovery partition.

Now, while I do trust the person I'm lending my machine to, I also want to maximise the security of my files whilst allowing them to use more than just Safari (E.g. Pages if they need to).

How vulnerable is my data to access, if a Standard (non-admin) account is logged in on a FileVault enabled Mac? It's a shame the individual accounts are not individually encrypted, but the whole disk at once (unless I am wrong).

Is there anything I can do (beyond having FileVault and a Firmware password enabled) to increase this security, just as a precaution?

Thanks.
The combo of File Vault and firmware password should together be pretty good to secure the machine as long as the account for your friend is a standard (non-admin) account or a parental-controlled account (lock out access to disk util, etc).
 
You could partition the disk and install a second instance of macOS, and only allow access to the new instance. You could even grant Admin access that way, let them do as they will - when you get it back, just toast the whole partition & re-expand your own.
 
Nope. You can only rely on firmware restrictions (firmware password) and encryption, otherwise the security is completely dependent upon file permissions and access-control lists. Other user accounts should not be able to access anything in your user directory, aside from the public folder. Standard accounts will have limited access to other directories outside of their own user directory.

I recommend that you change the permissions of any other top-level file and directory in your user directory so that only you have read and write access.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.