How secure is a standard account when FileVault enabled?

Discussion in 'macOS Sierra (10.12)' started by Joseph H, Dec 15, 2016.

  1. Joseph H macrumors 6502

    Joined:
    Apr 15, 2013
    #1
    Tomorrow I have agreed to lend my machine to someone and multiple others may use it in the day. I have set it up with a Standard Account because I noticed that since I have FileVault enabled, the Guest Account is a Safari-only account which runs off the recovery partition.

    Now, while I do trust the person I'm lending my machine to, I also want to maximise the security of my files whilst allowing them to use more than just Safari (E.g. Pages if they need to).

    How vulnerable is my data to access, if a Standard (non-admin) account is logged in on a FileVault enabled Mac? It's a shame the individual accounts are not individually encrypted, but the whole disk at once (unless I am wrong).

    Is there anything I can do (beyond having FileVault and a Firmware password enabled) to increase this security, just as a precaution?

    Thanks.
     
  2. xraydoc macrumors demi-god

    xraydoc

    Joined:
    Oct 9, 2005
    Location:
    192.168.1.1
    #2
    The combo of File Vault and firmware password should together be pretty good to secure the machine as long as the account for your friend is a standard (non-admin) account or a parental-controlled account (lock out access to disk util, etc).
     
  3. FreakinEurekan macrumors 68040

    FreakinEurekan

    Joined:
    Sep 8, 2011
    Location:
    Eureka Springs, Arkansas
    #3
    You could partition the disk and install a second instance of macOS, and only allow access to the new instance. You could even grant Admin access that way, let them do as they will - when you get it back, just toast the whole partition & re-expand your own.
     
  4. Zazoh macrumors 6502a

    Zazoh

    Joined:
    Jan 4, 2009
    Location:
    Mico, Texas
    #4
    You are braver than I.
     
  5. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #5
    Nope. You can only rely on firmware restrictions (firmware password) and encryption, otherwise the security is completely dependent upon file permissions and access-control lists. Other user accounts should not be able to access anything in your user directory, aside from the public folder. Standard accounts will have limited access to other directories outside of their own user directory.

    I recommend that you change the permissions of any other top-level file and directory in your user directory so that only you have read and write access.
     

Share This Page