j_lundqvist

Q: Deleting accounts does not remove FileVault decryption

Using Mountain Lion I have FileVault whole-disk encryption enabled on my Mac’s system drive. Today I removed a few accounts from my machine as I no longer had need for them.


After deleting the accounts, they have been removed from System Preferences -> Users and Groups preference pane, but when I reboot the EFI decrypt screen still include the deleted accounts. Entering their passwords decrypts Filevault and system startup commences.


This is, of course, not what I wanted. I would like all traces of the accounts I removed to be deleted – and I particularly do not want them to be able to decrypt FileVault, essentially rendering it useless. This is so contrary to user intention it must be considered a bug?


A workaround, had I not already removed the accounts, I guess I could have changed their password to something really complicated, but I can’t even do that.


Any ideas? Pretty please?

MacBook Pro (15-inch 2.4/2.2 GHz), OS X Mountain Lion

Posted on Aug 20, 2012 11:53 AM

Close

Q: Deleting accounts does not remove FileVault decryption

  • All replies
  • Helpful answers

  • by mende1,

    mende1 mende1 Aug 20, 2012 11:56 AM in response to j_lundqvist
    Level 10 (93,324 points)
    Desktops
    Aug 20, 2012 11:56 AM in response to j_lundqvist

    http://support.apple.com/kb/HT5017?viewlocale=en_US

     

    After do that, delete the users:

     

    1. http://support.apple.com/kb/ht1528

     

    2. Open  > Log Out, login as root, open Finder and delete the user folders you have deleted

  • by j_lundqvist,

    j_lundqvist j_lundqvist Aug 20, 2012 12:10 PM in response to mende1
    Level 1 (0 points)
    Aug 20, 2012 12:10 PM in response to mende1

    Thanks, but that didn't help me much as the user accounts have already been deleted in the OS. The only place they remain is on the EFI startup screen. I can't follow your suggestions as the users and their home directory, has already been deleted.

     

    (Also, even if i could "hide" them, that would be less ideal as I want the passwords to be rejected, on key-level, by FileVault.)

  • by cailian13,

    cailian13 cailian13 Aug 21, 2012 7:55 PM in response to j_lundqvist
    Level 1 (125 points)
    Aug 21, 2012 7:55 PM in response to j_lundqvist

    Try going to system preferences > security & privacy, then FileVault. From there, you should be able to remove the unwanted accounts from the list. This will remove them from the EFI decrypt screen for you. Post up and let us know if this helps....

  • by j_lundqvist,

    j_lundqvist j_lundqvist Aug 22, 2012 2:18 AM in response to cailian13
    Level 1 (0 points)
    Aug 22, 2012 2:18 AM in response to cailian13

    Thanks for replying, Cailian! I dug around in that preference pane too as I found some screenshots in some forums where there was a button for authorized users in there. (Not sure if the screenshots I found was from Mountain Lion, though?)

     

    However, in my Systems Preferences -> Security & Privacy -> FileVault, that button is missing. I've attached a screenshot so you can see what I see.

    WdSdf.png

    Thanks again!

  • by cailian13,

    cailian13 cailian13 Aug 22, 2012 8:36 AM in response to j_lundqvist
    Level 1 (125 points)
    Aug 22, 2012 8:36 AM in response to j_lundqvist

    Hmmm. Alright, let me get FileVault going on a lab machine where I am and see if I get the same or something different....

  • by cailian13,Solvedanswer

    cailian13 cailian13 Aug 22, 2012 11:08 AM in response to cailian13
    Level 1 (125 points)
    Aug 22, 2012 11:08 AM in response to cailian13

    Ok, mine just finished encrypting. And it seems the only way to remove users from the decrypt list is to turn off Filevault, allow it to decrypt, and then re-activate Filevault so that only the correct user accounts can access the system. I have exactly the same screen as you and after a bit of Googling, this seems to be the only way without doing some very user-unfriendly modifications to the system. Not the greatest answer, but I hope it helps!

  • by j_lundqvist,

    j_lundqvist j_lundqvist Aug 22, 2012 4:01 PM in response to cailian13
    Level 1 (0 points)
    Aug 22, 2012 4:01 PM in response to cailian13

    Wow, thanks for the effort! Really! Like you said, not exactly a solution per se, but it keeps me from thinking that I did something wrong.

     

    It's an amazing oversight from Apple, isn't it? Clearly, the user should expect an account to be deleted once it's, ehh, deleted? Having to cycle the encryption seems like a terrible solution.

     

    I'm not afraid of non-userfriendly hacks and if you dug something up on how to solve it, please share? I came up empty on my (quite extensive) search.

     

    Again, thanks for all your effort. Best,

     

      / J., Sweden.

  • by cailian13,

    cailian13 cailian13 Aug 22, 2012 11:57 PM in response to j_lundqvist
    Level 1 (125 points)
    Aug 22, 2012 11:57 PM in response to j_lundqvist

    I found several different options when I searched "remove user from filevault" online. Some varied options, some better than others...I'll leave it to you to browse the first page of results...

  • by z3r,

    z3r z3r Aug 19, 2014 8:49 AM in response to j_lundqvist
    Level 1 (0 points)
    Aug 19, 2014 8:49 AM in response to j_lundqvist

    I realize this thread is old but perhaps this will help passing googlers who have this problem, as I just did on Mavericks (10.9.3).  The following worked for me:

     

    • Re-create the deleted account in the "Users & Groups" system preferences pane.  Use the same long username, short username, password and access level as it had before.
    • Go to the Terminal and type `sudo fdesetup remove -user scoobydoo`   where scoobydoo is the short username in question
    • Remove the account again.
  • by MarkUser,

    MarkUser MarkUser Oct 1, 2015 7:38 AM in response to z3r
    Level 1 (0 points)
    Oct 1, 2015 7:38 AM in response to z3r

    Thank you so much! I just did this on OSX 10.10.5 Yosemite. Works as described.