You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: curtx
curtx Author
User level: Level 1
4 points

Can a mac admin see another user’s file with file vault 2 enabled?

With file vault 2 enable, mac files should be encrypted on the solid state drive. However, can an admin still access these files without logging in as the user?

Posted on Jan 26, 2023 10:54 AM

Reply
Question marked as Top-ranking reply
User profile for user: HWTech
HWTech
User level: Level 9
60,158 points

Posted on Jan 26, 2023 4:50 PM

An admin user can access any other macOS user accounts, although I don't know whether more recent versions of macOS have limited this, but I don't think so. Here are two examples:


  • You can see inside the other macOS user account and see locked folders. If you drag & drop a locked folder into your own home user folder, the permissions will be automatically changed where you can access them like any other item in your home user folder.
  • When using a third party app like Carbon Copy Cloner, CCC will prompt you for your admin password so it can access files anywhere on the drive including other user accounts.


Filevault2 has no bearing on any of this since the entire volume is encrypted for all user accounts and once unlocked any user can log into & use the Mac. Filevault is only meant to protect data at rest such as when the laptop is powered off so if the laptop is lost or stolen, someone cannot easily access any data on the encrypted volume.


If you are worried about other user accounts on this Mac accessing the files in your main macOS admin user account, then make sure to only make those other users a "Standard" user account which won't have the ability to access anything outside of their own home user folder.

View in context

Similar questions

4 replies
Question marked as Top-ranking reply
User profile for user: HWTech
HWTech
User level: Level 9
60,158 points

Jan 26, 2023 4:50 PM in response to curtx

An admin user can access any other macOS user accounts, although I don't know whether more recent versions of macOS have limited this, but I don't think so. Here are two examples:


  • You can see inside the other macOS user account and see locked folders. If you drag & drop a locked folder into your own home user folder, the permissions will be automatically changed where you can access them like any other item in your home user folder.
  • When using a third party app like Carbon Copy Cloner, CCC will prompt you for your admin password so it can access files anywhere on the drive including other user accounts.


Filevault2 has no bearing on any of this since the entire volume is encrypted for all user accounts and once unlocked any user can log into & use the Mac. Filevault is only meant to protect data at rest such as when the laptop is powered off so if the laptop is lost or stolen, someone cannot easily access any data on the encrypted volume.


If you are worried about other user accounts on this Mac accessing the files in your main macOS admin user account, then make sure to only make those other users a "Standard" user account which won't have the ability to access anything outside of their own home user folder.

Reply
User profile for user: Grant Bennet-Alder
Grant Bennet-Alder
User level: Level 10
132,775 points

Jan 26, 2023 5:15 PM in response to HWTech

if you found a Mac with an encrypted drive on the sidewalk, and read its files, they would be gibberish.


When you have logged in in a such a way that provides the encryption password, files remain encrypted on the drive, but when that authorized version of MacOS reads those files, they are decrypted on-the-fly for use, and encrypted when written back to the drive.


Encrypted drive changes NOTHING about the way user Accounts work. The default setting is that an Admin User can read almost anything and write most stuff, with some system files being special cases.


"ordinary" users can read and write their own files, but NOT the files of other Users.


--------

An old System Admin 'rule of thumb' -- "Only give privileges to individual Users who are capable of fixing any mess they might make."

Reply

Can a mac admin see another user’s file with file vault 2 enabled?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up