Separate names with a comma.
Discussion in 'Mac Pro' started by dgarratt, Oct 30, 2018.
Is there a way to force enable FileVault in Mojave with boot screen capable GPU installed?
I haven't made the switch from HS yet, did Apple remove FV from the security control panel?
Maybe for disk encryption we need a T2 based Mac now?
Yes, Apple removed since a lot of Mac Pros 5,1 don't have Mac EFI GPUs now.
You can still manually encrypt disks, so no T2 needed.
That seems awful stupid of Apple.
How do we manually encrypt a disk?
@W1SS wrote about how he encrypted with Mojave here https://forums.macrumors.com/thread...grade-to-mojave.2142418/page-11#post-26606427
--- Post Merged, Oct 31, 2018 ---
Btw, read the Craig Federighi answer about FV2 and MP5,1 here #1694
--- Post Merged, Oct 31, 2018 ---
Thanks share sharing these links tsialex. It's great to hear there is a work around!
Do you know if the bug that was preventing clean install with the GTX 680 has been resolved in 10.14.1?
Nope, USB install has the same problem. You still have to install from macOS.
I don't know if W1SS ever re-tested this, but my experience was that the method he posted did not work via a createusbinstall USB drive. The installer popped up an error when trying to install to an encrypted drive. My experience was that you must use the dosdude1 Mojave patcher to make your USB. That will bypass both the GTX 680 bug and the built-in prohibition on installing Mojave to an encrypted disk in the cMP. If you search this forum for FileVault it should pick up a thread from another user who tested this exact scenario a few weeks ago.
Also, there are some differences in usability with that method compared to "true" FileVault as we know it. Because you are encrypting the disk before install you end up creating a "Disk Password", and that what you must enter before each boot, then after macOS boots you'll have to enter the password for your user account. In comparison, when FileVault is set up the normal way, each user can unlock the disk with his or her user password (and then there is only that one password entry screen). In addition, when set up the normal way, the recovery key gets stored in iCloud (or can be if you choose that option). Those options don't appear to be available when you encrypt the disk before install.
One other workaround (though untested, it should work) if you have another Mac and a USB enclosure would be to connect your Mojave disk to another Mac and boot from it. Then enable FileVault the normal way (which should be allowed because only cMPs are prohibited from enabling it), let it finish encrypting. Then transfer it back to your cMP. That method should result in "normal" FileVault where you can use your user accounts to unlock the disk.
If you or anyone else ends up testing that process please post back and let us know how it went.
Nice writeup, I just want to add one thing, people may not think of, or be aware of.
IF YOU SAVE YOUR FILEVAULT PASSWORD TO iCloud AND THE GOVERNMENT ASKS APPLE FOR IT, APPLE WILL HAND IT OVER TO THEM.
Maybe a small thing, and if the government has physical access to your FV drive, i.e. they come to your house and seize your computer, they will get into your data if they want to spend the time and money on it.
I just prefer not to make it easy for them, and to have Apple tell them I didn't save it to iCloud, so they can't be compelled to turn over what they don't have.
I just wish my FV password was not the same as my user password. I'd rather not type a long string every time I need to use sudo.
Then you would be a perfect candidate for the method that encrypts the disk prior to OS install. That does indeed get you a different FV password than your user password and you can be reasonably assured that the recovery key is not in iCloud.
Thanks, I'll look into it when I move to Mojave.
Thanks for the detailed explanation bookemdano.
I have done clean installs before on an encrypted disk and because I'm the only on who uses the MacPro this method is fine for me.
I think I'll follow your suggestion to use dosdude's patch to do a clean install given i'm affected by the GTX 680 bug anyway.
Will let you know how I get on.
Both USB creation methods work fine with my GTX 780, which was what my FV enabling method was based on, but not the 680 for some reason and I am guessing it is due to the reported bug.
If I was in your shoes, people, I would just use VeraCrypt.