Is FileVault's full disk encryption secure?

MacOS File Vault 2's full disk encryption doesn't seem to work

I got a used MacBook Air 11 (2014) and the first thing I did was delete the entire drive and add new partitions.

I have that with File Vault 2 should

After reinstalling the operating system (Mavericks), I updated to macOS Sierra 10.12.3 and added a second user account that is not an administrator.

Now the confusing part:

  • When I cold start my MacBook, it goes straight to the login screen without asking for the password for the hard drive (how would that happen if the hard drive was to be fully encrypted? I'm not talking about hibernation, I shut down my MacBook properly).

  • The login screen shows that and the option ". Both work as expected, but my administrator account does not appear

  • a) After entering the hard disk password, the

  • b) If I choose NOT to enter the hard disk password, I can still log in to the. Then when I log out, mine mysteriously appears and I can log in without ever using my hard drive password.

I have the command and it shows that my logical volume is properly in an AES-XTS encrypted logical volume family

The question now is whether this really works. According to an official (possibly outdated) Apple website, it should ask for the hard drive password before the login screen at startup.


Output from:

Klanomath

Please add the output of! FV2 is a full volume, however no full disk encryption (like VeraCrypt for Windows).

n1000

Maybe this is just a confusion. Any account can unlock an FV2 volume. You can change this in the system settings. Sierra displays a pre-boot screen that looks very similar to the login screen (e.g. a wallpaper). Could it be that it is actually the pre-boot login?

Su-Au Hwang

@klanomath edited in

Su-Au Hwang

@ n1000 I added a picture of this login / unlock screen. is my non-administrator account. Another account is missing that shows up after I unlock the hard drive. But even if that were the unlock screen, it doesn't really explain why my other account (admin) shows up after I log into the account and then log out. At no point do I need to enter my hard drive password to gain full access.

n1000

FV2 grants your account permission to unlock the partition. Hence your account password = FV2 password. FV2 can use multiple passwords. Under>> you manage which account should be unlocked.

n1000

It looks like this is a misunderstanding. In later versions of macOS, it is difficult to get the Unlock screen the start (during which the partition is unlocked and automatically logged in after the start process) from Login screen (in which the system partition is already unlocked and the user has to distinguish between logging in to the system).

In addition, FileVault2 multiple passwords Grant the right to unlock the partition and grant this permission to individual accounts. You can manage which accounts can unlock the system hard drive under>>. This means that your account password will also become the partition unlock password. In either case, you can use the recovery password provided when encrypting the hard drive to unlock the partition.

This answer provides a method of using an unlock key that is different from your account password.