Change Filevault 2 Login Screen Options - Encrypted Disk

Scooper,

Please let us know if you find anything.

I was even thinking about running some type of script that runs in the backgroud if you reboot. It woudl run the auth restart and would return to the log in screen instead of pre boot.

This would not help for a power on from off of course.

Also I am trying to figure out if at the pre boot they set up any kind of a lockout feature. For example how many times can you type in a wrong password?

Hi all,

in this thread, there appears to be a common misunderstanding.

sjva wrote:

This IS a bug. If the user sets Display Login Window as: NAME AND PASSWORD and NOT LIST OF USERS, that preference should be used whether file vault is turned on or off.

as an example, this quote refers to the Login Window, and the settings in the System Preferences regarding the Login Window. The Login Window has a distinct meaning - it is the window that appears when one is logging into an OS X system without FileVault encryption. This is the login window to which we've all been accustomed for many iterations of the OS.

As Peter describes, when using FIleVault2, the user is at an EFI boot authentication screen. This is most definitely not the Login Window, and therefore not controlled by settings entered in the System Preferences regarding the Login Window.

Using terminology confusing these two independent authorization methods confuses this issue. There are some similar aspects of these two authorization methods, however, we should all recognize that they are different and independent methods.

I too agree with the thrust of most of the comments which appear in this thread. Simply stated, I want a similar level of configuration control for the EFI boot authentication screen as we have for the Login Window. In fact, this is a policy requirement at my institution...

So, I'll keep tuned to the progress made in this and similar minded threads.

cheers,

Roy

Sorry Roy but I desagree with your comments. I have the same problem and it is a serious one. The fact that encrypting my HD now shows the list of users of my MBP which includes my name and picture and worst yet, the name and picture of my daughters (which use this MBP) is an unacceptable security breach. Now this info is available to EVERYBODY that just turns on the MBP, so whoever steals my computer now has a picture of my daughters an their names (This is more than serious if you loose your computer in a kidnapping prone country).

If this bug (a nice word for this big issue) is related to EFI vs normal login screen is irrelevant. Whoever at apple implemented this did a very lousy job on QC. If the EFI boot authentication can get the list of users, surely can get the login preferences. I really don't mind how apple should solve this (all through EFI or all through OSX) but FV2 is a bad thing until this is solved.

My understanding is that until you shutdown or restart, the disk image is decrypted while you work. So loggin in and then out to get to the normal login screen leaves you with no accounts visible but no encrypted disk ...

thanks to all for your help on this and look forward to any news

CC

PS: In my Mac Pro I can't even encrypt now as I have a stripped RAID set ... I was lot better with previous FV

I had similar problem (http://superuser.com/a/693492/284781) and for me it was crucial to delete some EFI login cached files like described here https://derflounder.wordpress.com/2013/06/19/enabling-filevault-2-pre-boot-login -screen-functions-from-the-command-line/

i.e.

rm

/System/Library/Caches/com

.apple.corestorage

/EFILoginLocalizations/

*.efires

in addition to running the defaults commands, you also need to remove certain cache filenames ending in .efires from /System/Library/Caches/com.apple.corestorage/EFILoginLocalizations. Clearing the filename.efires cache files forces the system to update the FileVault 2 pre-boot login screen.

defaults read /Library/Preferences/com.apple.loginwindow

So under OS X.9.2 (Mavericks), the feature "Name and password" is still missing...

=> The only way seems to go "https://bugreport.apple.com" and to write: "Dear Apple, I want to have to enter my 'Name and password' even when FileVault is turn On !!"

**.

While I believe revealing privileged entry points is a severe security risk, the risk you point out is just as severe. It advertises Personally Identifiable Information on the screen simply by having the machine turned on. Something else I've noticed is that you can change the pictures in System Preferences under Users but it will not change the EFI login copy of the pictures without decrypting and re-encrypting the startup drive.

And as far as advertising an entry point, that would be like displaying your bank account number and asking for a password to use it. The username, just like the bank account number in this example reveals too much information to someone who shouldn't have the information in the first place. A hacker no longer has to guess what a username AND password are. They only have to guess the password to a known username.

Aloha,

old thread, but maybe it still can help.

If you want the described behaviour disable your local user for Filevault authorisation:

In Terminal:

sudo fdesetup remove -user username

Now you have at boot time to enter the disk password first and then the macOS login.

HTH

Cheers

Marcel

you can set a master recovery key by following this article:

http://support.apple.com/kb/ht5077

@Wiss - I think your solution is excellent while Apple sort these issues out. One question though, how do you obtain the recovery key when encrypting via this method?

Macbook Air, MAC OS X (10.7.3)

Any update on this. 10.8.2 still does not have "list name and password"

Maybe some one has a way to make it work. Apples own documentation says that this is they way it should be!

I'm having this issue too; thought it would be sorted out by now (10.8.2).

Has anyone contacted an official Apple support channel (Genius Bar, Phone tech support, etc.)?

up