Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Odd behavior - logging into Encrypted disk-MacBook Pro

donawalt

donawalt

Contributor
Original poster
Sep 10, 2015
1,345
672
I am wondering why this behavior is different:

1. MacBook Pro 2018 #1 - encrypted disk, single disk laptop - On restart/power on, I enter one password to gain access to the disk, then I log in using another password. The passwords happen to be the same. It's on MacOS 10.14.1 (18B75).

2. MacBook Pro 2018 #2 - encrypted disk, single disk laptop - identical configuration to #1 except for a different discrete graphics card - On restart/power on, I enter one password on boot, and I am logged in. It's on MacOS 10.14.1 (18B3094). I set this MacBook Pro up from a Thunderwire transfer from MacBook Pro #1.

The Apple SSD/Revision and size are identical.

In Disk Utility, both disks in MacBook Pro #1 and #2 show as "APS Volume - APS (Encrypted)"

Is this just a tweak in the encrypted log on between the two minor variants of MacOS, or is there some other reason it works differently? I need to be sure the disk in both is fully encrypted.

Thanks!
 
donawalt said:
I am wondering why this behavior is different:

1. MacBook Pro 2018 #1 - encrypted disk, single disk laptop - On restart/power on, I enter one password to gain access to the disk, then I log in using another password. The passwords happen to be the same. It's on MacOS 10.14.1 (18B75).

2. MacBook Pro 2018 #2 - encrypted disk, single disk laptop - identical configuration to #1 except for a different discrete graphics card - On restart/power on, I enter one password on boot, and I am logged in. It's on MacOS 10.14.1 (18B3094). I set this MacBook Pro up from a Thunderwire transfer from MacBook Pro #1.

The Apple SSD/Revision and size are identical.

In Disk Utility, both disks in MacBook Pro #1 and #2 show as "APS Volume - APS (Encrypted)"

Is this just a tweak in the encrypted log on between the two minor variants of MacOS, or is there some other reason it works differently? I need to be sure the disk in both is fully encrypted.

Thanks!
Click to expand...
Maybe #1 has firmware password enabled?
 
#2 is the normal and intended behaviour, you should only log in once. #1 is the odd one.

When you encrypt a volume using FileVault it registers a recovery unlock password and then registers account passwords to unlock it. Perhaps somehow your account password has become unregistered as one that unlocks the FileVault. I know you say it's the same password but if it had been used on another account or registered separately from that particular account then macOS wouldn't understand that it is your account unlocking the FileVault and so wouldn't subsequently log you in automatically.

If you run...

sudo fdesetup list

...in Terminal then it will show the registered accounts that should be able to unlock the drive.
 
  • Like
Reactions: LuisN and donawalt
Ah ha! @maverick808 you nailed it. Learn something new every day, that's why I ask my questions I learn so much! Thank you.

#2 has the account I use as registered, #1 had NO accounts! So it must have been de-registered, or somehow never registered when I set that laptop up (I do recall having some issues getting migration working and I played around with the disk a lot).

So out of curiosity, and with your hint I did a little reading...if I want to register my account on #1 so it works the same.. I tried this, assuming the admin account on that machine is 'Fred':

sudo fdesetup add -usertoadd Fred

it asks for password to Fred as admin for the computer, then it asks for password to Fred as user to add. But then it says unable to add one or more users to FileVault (-69594). There are currently no users registered on that laptop, is there a way I can add my username to the list so it works like #2?

Thanks!
 
  • Like
Reactions: LuisN
Well that's cool that it lead you down the right path. I'm surprised adding the user didn't work though, that was exactly what I was going to suggest next. Are you sure the username is valid? If you open Terminal and type 'whoami' then does it match what you are expecting? Remember the username might be different from the display name you see at the login screen.

An alternative and relatively easy thing to try would be to simply turn off FileVault, let it decrypt, then turn it back on. I assume that would simply reset everything related to FileVault and hopefully when you turn it back on it will generate the correct links to the accounts.
 
  • Like
Reactions: LuisN
@maverick808 yes, whoami is the same user name, and I just tried it again typing carefully to ensure it's all correct. That's too bad it does not work. I may just leave it as is, as I think decrypting and re-encrypting FileVault will take a day or maybe more each way, as I remember. I know I can still use the laptop it just lengthens the process. Is there any file/folder plist that can be deleted that it will rebuild the user list or anything? Just a long shot :)
 
@maverick808 (and others), I decided to investigate this a little more mostly out of intellectual curiosity. What I have found:

1. If I do sudo fdesetup status it says FileVault is on.
2. Then if I do sudo fdesetup disable, it says it was not disabled -69594.
3. If I go to Security and Privacy in Preferences and click the "Turn File Vault Off", it does nothing - I can click it as many times as I want and nothing happens (I did unlock that screen).
4. If I run the fed setup command to see what users are registered there are none (see above - when I discovered it failed adding my user account)
5. If I boot into recovery and try to run Terminal, it says "There is no administrator on this machine".
6. If I boot into recovery and try to run the Startup Security Utility, it also says there is no administrator on this machine.
7. I boot up normal, go into users and groups, and my account does show as "Admin". There were never another users or admin accounts on this laptop.
8. I have no problem entering a password to encrypt the disk on the pre-login screen (this was the laptop that has two logins on a restart).

It does appear I could just erase the disk and restore it from scratch, I don't want to test that though but at least the Erase button is not disabled from Recovery/Disk Utility.

Isn't this odd?
 
Last edited:
That is all... very odd indeed. It could have been an incomplete and failed FileVault encryption in the first place. I've never seen that happen but I imagine it might appear with symptoms such as you describe.

I wonder what the actual disk partitions on the machine are like. If you do 'diskutil list' it should show the drives and partitions. Since you are on Mojave you should be on APFS so you can do 'diskutil apfs list' and it sill show more detail, including the encryption state and percent complete if it is still in the process of encryption (or decrypting). That might show something interesting.

On the off chance you aren't on APFS (e.g., if you still have a spinning disk) then FileVault would have made a core storage container so 'diskutil corestorage list' will show the info in that case.

Yes, unless you couldn't get in to the machine at all due to a firmware password, which isn't the case here, then you can definitely wipe the drive if you did ever need to.
 
@maverick808 thanks for the reply. I read somewhere that MacOS has some issues if you encrypt an earned hard disk FIRST, then install your OS/system on it, vs. installing/setting up a laptop then encrypting it. I am almost positive this is what I did back in the day. I am on APFS. I ran the diskutil; apfs list, under the container and physical store, there were 4 volumes - A volume the size of the used data on the disk with fiulevault = yes (unlocked); a reboot with filevault=no, a recovery with filevault=no, and a VM (I run Parallels now, back in the day I ran Bootcamp before I converted to Parallels, not sure if this is old or part of the Parallels setup). The last volume, the VM, says filevault=no (Encrypted at rest), whatever that means.

oh - one other thing I found - I did a sudo fdesetup list -extended, and it shows 1 user, but with a UUID and the name "unknown user". I thought that was odd.

I have a good backup, I may zap the disk and install fresh from backup, unless there is anything else interesting to check.
 
It's interesting, but I don't know what's really going on with that drive then. Given that you, me and no-one else seems to be certain I think doing a fresh install might be the way to go. I'd rather have my data on a disk that I know how it's working than having any valuable data in a structure where I'm asking "how on earth is this thing working?" :)

As long as you are confident in your backups then unless someone else chimes in with a solution I think yeah a reinstall sounds like the right move here.
 
  • Like
Reactions: donawalt
donawalt said:
I read somewhere that MacOS has some issues if you encrypt an earned hard disk FIRST, then install your OS/system on it, vs. installing/setting up a laptop then encrypting it.
Click to expand...
If that is what you did, that is certainly the problem. When you turn on FV from System Prefs it changes the way the system boots and sets it up so the login ID can also be used to unlock the drive.

By formatting to encrypted first then installing the OS, you bypassed that setup process and it causes the issue you are seeing.
 
Last edited:
  • Like
Reactions: CoastalOR and donawalt
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back