Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Macbook not asking for FileVault password.

M

multiplemacs

macrumors newbie
Original poster
Oct 18, 2019
2
0
I love mac hardware but Im hating its software more and more.

I did a fresh install on a 2012 MBP the other day and decided to give FileVault a go since I'm becoming more security conscience in light of big tech's controversial practices. I was asked to create a password and I figured "id better make this a good one", so I did. I have yet to be asked for it...

Is this a firmware password or what? I boot the laptop, it goes straight to the login screen and asks for my much less secure user password. Some "Vault", it doesnt even ask for a password...
 
You misunderstood the FileVault.
On Main system drive: When you create FileVault, you can create password (or have one created for you or allow your apple id to unlock the vault). This is kind of main key. But every user will get his own key - his/her own password - which can also unlock the FileVault.
This is needed for convenience and sanity - asking users for two passwords sequentially makes no sense. What would the user password be for in this case, when user would not be able to access system drive and start???
Another words, if you want your system to be secure, use secure user password.
If you create a new user, you should be asked for the FileVault password or password of other user, which can unlock the vault. This is needed, so the system can enable this user to unlock the drive.

Explanation how this works: When you create FV on system drive, OSX/macOS creates small bootable unencrypted system partition and encrypts the main partition. When system starts, it gets booted from unencrypted partition to provide user with GUI asking for password. If you provide usable password, the main system disk is decrypted and you are booted from it. Hence you need just one password.

Now, if this FileVault is on non-system drive, this is different. In that case you will be asked for password the first time you use the vault and you will also be asked if you want to save the password in your Keychain. If you save it there, disk is automatically unlocked when you connect it as your keychain has the password. You would have to remove the password for the vault from there (Keychain Access.app) and refuse to store it there next when system asks.

This is all well documented in Apple web site documentation. Relatively easy to find by Google or search on Apple web site. In more detail and may be even more correctly.
 
Last edited:
  • Like
Reactions: adrianlondon
What would the user password be for in this case
Click to expand...

Multiple users. Each with their own user password.

What I want is a password immediately on startup. If the user knows that, then they move on to the user login/password.
 
multiplemacs said:
Multiple users. Each with their own user password.

What I want is a password immediately on startup. If the user knows that, then they move on to the user login/password.
Click to expand...
Hm, but that is more like password, to unlock the whole machine. Can you just setup that in EFI on that old machine? I used to have it setup on one of my old Macs, it is now not available and redundant with current 2017-2019 security technology (see here for explanation how firmware password and FV protect the systems: https://www.macrumors.com/how-to/set-a-firmware-password-on-your-mac/).

For disk encryption this is not needed. If the user knows his/her password, they can decrypt main drive and log in. No one can read encrypted disk without their valid password. No need for two passwords. Same security.

I do not believe FV can do what you are asking for. Commands in #4 allow you to remove user access to FV from command line, which makes the account on that computer useless since that user cannot run anything or even log in.

You may need to look for some different solution, not from Apple. I am not sure it exists as FV seems to work for most cases quite well.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back