Tokyo
Level 1 (81 points)
Mac OS X

Q: FileVault2. Is the encryption done on a per user basis.

FileVault2. Is the encryption done on a per user basis, or is the whole drive encrypted.

 

What is the best way to use FileVault2 on a new Mac if there are several user accounts.

 

Regards

Posted on May 18, 2016 6:15 AM

by seraphilia,Solvedanswer
seraphilia seraphilia
Level 1 (22 points)
Notebooks
A:

Each partition is encrypted with a single key and is fully encrypted. If you only want the administrator to be able to affect system-wide preferences, on the FileVault system preference there is an option to set that up under "Advanced" (you have to click the lock icon to access advanced).

 

Whether or not a user can unlock the hard drive (i.e. the primary account doesn't have to do it) I believe is also controlled via the FileVault system preference pane if I remember correctly.

Posted on May 23, 2016 5:28 PM

Close
Tokyo

Q: FileVault2. Is the encryption done on a per user basis.

  • All replies
  • Helpful answers

  • by JimmyCMPIT,

    JimmyCMPIT JimmyCMPIT May 18, 2016 6:19 AM in response to Tokyo
    Level 5 (7,102 points)
    Mac OS X
    May 18, 2016 6:19 AM in response to Tokyo

    the whole drive, but not any other drives on the system AFAIK.

  • by egyptiankarim,

    egyptiankarim egyptiankarim May 18, 2016 6:26 AM in response to Tokyo
    Level 1 (26 points)
    iCloud
    May 18, 2016 6:26 AM in response to Tokyo

    FileVault encryption is for the whole disk, not per user. By default, the user that initiates the encryption process is the only user that can unlock the drive.

     

    You can authorize multiple users to unlock the drive via System Preferences >> Security & Privacy >> FileVault >> Enable Users...

     

    Users will have to type in their account passwords, which must meet certain strength criteria, at the time they are being enabled. A green checkmark will appear next to their account names once the process is complete.

     

    Relevant support link: Use FileVault to encrypt the startup disk on your Mac - Apple Support

  • by seraphilia,Solvedanswer

    seraphilia seraphilia May 23, 2016 5:28 PM in response to Tokyo
    Level 1 (22 points)
    Notebooks
    May 23, 2016 5:28 PM in response to Tokyo

    Each partition is encrypted with a single key and is fully encrypted. If you only want the administrator to be able to affect system-wide preferences, on the FileVault system preference there is an option to set that up under "Advanced" (you have to click the lock icon to access advanced).

     

    Whether or not a user can unlock the hard drive (i.e. the primary account doesn't have to do it) I believe is also controlled via the FileVault system preference pane if I remember correctly.

  • by Tokyo,

    Tokyo Tokyo May 18, 2016 6:51 AM in response to Tokyo
    Level 1 (81 points)
    Mac OS X
    May 18, 2016 6:51 AM in response to Tokyo

    Thanks for all the helpful answers.

     

    If I use the Admin account to encrypt the drive using FileVault2, then create a new User account, is the encryption transparent to the new User? That is they just login to their account. In other words they do not need to know anything about their files being encrypted?

     

    Regards

  • by seraphilia,

    seraphilia seraphilia May 22, 2016 9:12 PM in response to Tokyo
    Level 1 (22 points)
    Notebooks
    May 22, 2016 9:12 PM in response to Tokyo

    The only thing the user will notice is the boot changes. With an unencrypted drive, the OS loads before login. With FileVault2 enabled, the login screen comes up, then the drive is unlocked the boot continues.

     

    Provided you have allowed the created user to unlock the drive, of course. Otherwise, you will have to log in first to unlock the drive and then log out and let the other user log in.

     

    Outside of this, there is no difference between running encrypted and running unencrypted aside from the inherent security added by encrypting the volume. Please note there is a performance cost to this; on a newer mac with SSDs and modern CPUs (that have a dedicated AES instruction set) this is not even worth talking about. On older hardware, there will be a performance cost during disk reads and writes (which you may or may not notice, depending on your workload).

  • by Tokyo,

    Tokyo Tokyo May 18, 2016 8:14 AM in response to Tokyo
    Level 1 (81 points)
    Mac OS X
    May 18, 2016 8:14 AM in response to Tokyo

    Thanks for everyones help.

     

    I believe I have the answer to my question. Is the following correct.

     

    I have a Mac with one Admin account and one Standard account.

    I login to the Admin account.

    I use FileVault2 to encrypt the drive.

    I click on Enable User to enable the Standard account to use the Mac. (They do not see any change after logging in.)

    I log into the Admin account and create a new Standard user account.

    Logging into the new Standard account does not allow access.

    Log into the Admin account, click on the Enable user for the new Standard account.

    Now the new Standard user account can log in and use without knowing the drive is encrypted.

     

    Thanks for your thoughts on speed. I plan to buy a new MacBook Pro when the Skylake processor is released. So speed of decryption should not be a problem.

     

    Regards