Deleting accounts does not remove FileVault decryption

Question

Level 1

24 points

Deleting accounts does not remove FileVault decryption

Using Mountain Lion I have FileVault whole-disk encryption enabled on my Mac’s system drive. Today I removed a few accounts from my machine as I no longer had need for them.

After deleting the accounts, they have been removed from System Preferences -> Users and Groups preference pane, but when I reboot the EFI decrypt screen still include the deleted accounts. Entering their passwords decrypts Filevault and system startup commences.

This is, of course, not what I wanted. I would like all traces of the accounts I removed to be deleted – and I particularly do not want them to be able to decrypt FileVault, essentially rendering it useless. This is so contrary to user intention it must be considered a bug?

A workaround, had I not already removed the accounts, I guess I could have changed their password to something really complicated, but I can’t even do that.

Any ideas? Pretty please?

MacBook Pro (15-inch 2.4/2.2 GHz), OS X Mountain Lion

Posted on Aug 20, 2012 11:47 AM

Reply

Answer 1

mende1

Level 10

93,538 points

Aug 20, 2012 11:56 AM in response to j_lundqvist

http://support.apple.com/kb/HT5017?viewlocale=en_US

After do that, delete the users:

1. http://support.apple.com/kb/ht1528

2. Open  > Log Out, login as root, open Finder and delete the user folders you have deleted

Reply

Answer 2

j_lundqvist Author

Level 1

24 points

Aug 20, 2012 12:10 PM in response to mende1

Thanks, but that didn't help me much as the user accounts have already been deleted in the OS. The only place they remain is on the EFI startup screen. I can't follow your suggestions as the users and their home directory, has already been deleted.

(Also, even if i could "hide" them, that would be less ideal as I want the passwords to be rejected, on key-level, by FileVault.)

Reply

Answer 3

cailian13

Level 1

125 points

Aug 21, 2012 7:55 PM in response to j_lundqvist

Try going to system preferences > security & privacy, then FileVault. From there, you should be able to remove the unwanted accounts from the list. This will remove them from the EFI decrypt screen for you. Post up and let us know if this helps....

Reply

Answer 4

j_lundqvist Author

Level 1

24 points

Aug 22, 2012 2:18 AM in response to cailian13

Thanks for replying, Cailian! I dug around in that preference pane too as I found some screenshots in some forums where there was a button for authorized users in there. (Not sure if the screenshots I found was from Mountain Lion, though?)

However, in my Systems Preferences -> Security & Privacy -> FileVault, that button is missing. I've attached a screenshot so you can see what I see.

Thanks again!

Reply

Answer 5

cailian13

Level 1

125 points

Aug 22, 2012 8:36 AM in response to j_lundqvist

Hmmm. Alright, let me get FileVault going on a lab machine where I am and see if I get the same or something different....

Reply

Answer 6

cailian13

Level 1

125 points

Aug 22, 2012 11:08 AM in response to cailian13

Ok, mine just finished encrypting. And it seems the only way to remove users from the decrypt list is to turn off Filevault, allow it to decrypt, and then re-activate Filevault so that only the correct user accounts can access the system. I have exactly the same screen as you and after a bit of Googling, this seems to be the only way without doing some very user-unfriendly modifications to the system. Not the greatest answer, but I hope it helps!

Reply

Answer 7

j_lundqvist Author

Level 1

24 points

Aug 22, 2012 4:01 PM in response to cailian13

Wow, thanks for the effort! Really! Like you said, not exactly a solution per se, but it keeps me from thinking that I did something wrong.

It's an amazing oversight from Apple, isn't it? Clearly, the user should expect an account to be deleted once it's, ehh, deleted? Having to cycle the encryption seems like a terrible solution.

I'm not afraid of non-userfriendly hacks and if you dug something up on how to solve it, please share? I came up empty on my (quite extensive) search.

Again, thanks for all your effort. Best,

/ J., Sweden.

Reply

Answer 8

cailian13

Level 1

125 points

Aug 22, 2012 11:57 PM in response to j_lundqvist

I found several different options when I searched "remove user from filevault" online. Some varied options, some better than others...I'll leave it to you to browse the first page of results...

Reply

Answer 9

z3r

Level 1

0 points

Aug 19, 2014 8:49 AM in response to j_lundqvist

I realize this thread is old but perhaps this will help passing googlers who have this problem, as I just did on Mavericks (10.9.3). The following worked for me:

Re-create the deleted account in the "Users & Groups" system preferences pane. Use the same long username, short username, password and access level as it had before.
Go to the Terminal and type `sudo fdesetup remove -user scoobydoo` where scoobydoo is the short username in question
Remove the account again.

Reply

Answer 10

MarkUser

Level 1

9 points

Oct 1, 2015 7:38 AM in response to z3r

Thank you so much! I just did this on OSX 10.10.5 Yosemite. Works as described.

Reply