2 Replies Latest reply: Feb 9, 2012 8:20 PM by Sammy Stefanki
Sammy Stefanki Level 1 (75 points)

Hi everyone,


New Lion user here with a quick question regarding how FileVault is different from Snow Leopard. Yesterday I made the switch from Legacy FileVault to Lion's new FileVault on my MacBook's primary user account. After I decrypted my primary user account, I re-encrypted it using Lion's FileVault and set a new recovery key and everything. I then decrypted a secondary user account I have on my MacBook and went to bed, thinking that the account would decrypt over night and I could re-encrypt and set a recovery key for it when I woke up this morning.


The issue I have stems from the fact that when I woke up this morning, the secondary user account appears to already be encrypted using Lion's new FileVault. I don't see how that is possible (considering I never set a new recovery key for this secondary user account, as I was asleep when it completed "turning off" Legacy FileVault), unless the recovery key I set for the primary user account earlier in the day now applies to every single user account on the computer.


Does anyone here who is familiar with FileVault know if that is indeed the way the new FileVault works, i.e. that it only has you create one recovery key for your entire hard drive instead of different recovery keys for each user account? I just want to make sure that I haven't created a situation where I only have the recovery key for one of my user accounts, but not for the other.


Thanks a lot!

Mac OS X (10.7.3)
  • Tony T1 Level 6 (8,955 points)

    If you haven't already, take a look at: http://support.apple.com/kb/HT4790

  • Sammy Stefanki Level 1 (75 points)

    This is a very helpful link, Tony; thank you. I understand FileVault 2 much better now.


    However, I still have one last question that (hopefully) you or someone else can answer. Is there only one recovery key per machine (i.e. will the recovery key that I created using my primary user account also work to decrypt the secondary user account on my machine if I ever--heaven forbid--forget my FileVault password)? Or does each user account on each machine have a different FileVault recovery key?


    The reason I inquire is that I was only asked to create a recovery key when I activated FileVault 2 from my primary user account. I was not asked to create a recovery key when I activated FileVault 2 on my secondary user account, and I want to be sure that I didn't miss something somewhere. The last thing I want to have happen is to need a recovery key for my secondary user account, have it be different from the recovery key I created through my primary user account, and be unable to get back into my secondary user account as a result.


    Thanks so much for your help!