How secure is a standard account when FileVault enabled?

Discussion in 'macOS Sierra (10.12)' started by Joseph H, Dec 15, 2016.

  1. Joseph H macrumors 6502

    Apr 15, 2013
    Tomorrow I have agreed to lend my machine to someone and multiple others may use it in the day. I have set it up with a Standard Account because I noticed that since I have FileVault enabled, the Guest Account is a Safari-only account which runs off the recovery partition.

    Now, while I do trust the person I'm lending my machine to, I also want to maximise the security of my files whilst allowing them to use more than just Safari (E.g. Pages if they need to).

    How vulnerable is my data to access, if a Standard (non-admin) account is logged in on a FileVault enabled Mac? It's a shame the individual accounts are not individually encrypted, but the whole disk at once (unless I am wrong).

    Is there anything I can do (beyond having FileVault and a Firmware password enabled) to increase this security, just as a precaution?

  2. xraydoc macrumors demi-god


    Oct 9, 2005
    The combo of File Vault and firmware password should together be pretty good to secure the machine as long as the account for your friend is a standard (non-admin) account or a parental-controlled account (lock out access to disk util, etc).
  3. FreakinEurekan macrumors 68040


    Sep 8, 2011
    Eureka Springs, Arkansas
    You could partition the disk and install a second instance of macOS, and only allow access to the new instance. You could even grant Admin access that way, let them do as they will - when you get it back, just toast the whole partition & re-expand your own.
  4. Zazoh macrumors 6502a


    Jan 4, 2009
    San Antonio, Texas
    You are braver than I.
  5. KALLT macrumors 601

    Sep 23, 2008
    Nope. You can only rely on firmware restrictions (firmware password) and encryption, otherwise the security is completely dependent upon file permissions and access-control lists. Other user accounts should not be able to access anything in your user directory, aside from the public folder. Standard accounts will have limited access to other directories outside of their own user directory.

    I recommend that you change the permissions of any other top-level file and directory in your user directory so that only you have read and write access.

Share This Page