I'm going to answer this because if I don't, there's a good chance you'll be given false information.
Permissions are what protect data on an encrypted volume from other users. If you enable FileVault, make yourself the only administrative user and also the only user who can unlock the volume. Your home folder (which contains all your personal files) is protected from access by other users who can log in to the system by its permissions, which allow only you to read below the top level.
If someone logs in to another account, which is not an administrator account, the encrypted volume is still mounted, but your personal files are inaccessible. That inaccessibility is enforced by the kernel and is no less secure than the encryption itself.
If someone tries to reboot the system insecurely or mount the volume in target disk mode, he'll be confronted with the password dialog. Without the password, that's as far as he'll get.
This security model will fail if you do either of the following:
- Allow another user to unlock the volume; i.e., log in at startup.
- Give another user administrator privileges.
Ugh, had not even thought about permissions, thanks. The only way i know how to change permissions per drive/partition is through Get Info > Sharing & Permissions. Btw i am talking about drives and partitions that are not considered the 'boot volume' that is covered by FileVault.
I am not able to add a user to the privileges list and set that (non-admin) user to have 'No Access'. The only options available are Read Only, Read & Write and Write Only (Drop Box). The only group i can set the 'No Access' privilege for is 'everyone'. When i do this i assume it means everyone but those authorized to have read or write access has no access and should not be able to see the contents of the disk.
I set it, switched to the other standard user account and was able to see the drive, it's contents and folder contents, unrestricted. I went back and even used 'apply to enclosed items' but it did not change anything.
This is how mounting volumes works in OS X. Once mounted, a drive is available systemwide, and not restricted to a specific user. The encryption that OS X sets up on a drive is per-volume only, and not intended to protect the data from other users on the system. Instead, its intent is to prevent someone from finding your drive and plugging it into another system to overcome security and access your files.
Ultimately the mode for securing files from other users of the same system is to not rely on encrypted volumes. If mounted, the unencrypted drive will remain unlocked and re-mountable. The only way to secure it again is to fully detach or eject it from the system.
However, overall it is not really a security flaw in the system. While intuitively it may seem the system ought to lock the drive again once ejected, this behavior still falls in line with how the system already handles local drives, where any volume (encrypted or not) is viewable accessible by other user accounts.
The way you can prevent another user from accessing the mounted volume is to get information on the volume, and then click the lock at the bottom to authenticate for changes, and then uncheck the box to ignore ownership on the volume. This will have the system observe permissions restrictions for files on the drive, but keep in mind this will only be restrictive to non-administrative accounts, as any admin can re-check the box and have full access to the drive again.
An alternative option is to use an encrypted disk image to secure files. Unlike encrypted drives, the system should fully eject an encrypted disk image when you eject it, requiring its password to be entered when mounting the image again. Unfortunately as with other mounted volumes, if you mount the disk image in your account and keep it mounted, then another user that logs in at the same time will be able to access this volume.
You can set the permissions of an external drive (or any other custom, isolated folder on your system) to whatever you want without hurting a thing (beyond adjusting who gets access to it, including yourself).
By removing the staff group, you will simply keep everyone who is a member of that group from getting a permissions setting for that drive, which will by default deny access to that group.
The "Staff" group in OS X is the default group for any local user, so settings for this group will adjust access for non-admin users.
As a result, if removed, then only the remaining users listed (e.g., your user name) will be granted access to the drive. This is ultimately a more secure setup (mainly from a user-error standpoint, where you might inadvertently grant access with a permissions change to this group), but you can do the same by keeping the group and setting its permissions to "deny."