Macintosh full disk encryption
2014-10-10 [updated 2014-10-20]

Apple introduced full disk encryption on the Macintosh with the release of Mac OS X 10.7 Lion. It is called FileVault 2, but is not turned on by default. FileVault 2 continues to work on Mac OS X 10.10 Yosemite, but Yosemite brings some small changes in behaviour which I mention near the end of this post.

The standard way to deploy FileVault 2 is to activate it through the Apple menu > System Preferences > Security & Privacy > FileVault tab. Using this method the user will be able to decrypt the disk at boot time with their login password. The option also exists to have multiple users able to decrypt the disk in the same fashion.

I found a different way to encrypt the disk so I have a long complex password for encryption, but a short password to protect my user login. I get the benefits of encryption with a long complex password, but I only need to type it when booting the computer. I have the convenience of a simple password that is easy to type to lock and unlock the screen when leaving the computer unattended.

I found this method by chance and haven’t found it documented elsewhere on the web - hence the post. Before you start you need to do a backup with Time Machine or SuperDuper! - preferably one of each.

From the Finder go to the Finder menu > Preferences… > General tab. Check the box next to ‘Hard disks’.

From the desktop right-click the icon of the hard disk. Click ‘Encrypt “MacintoshHD”…’

Choose a password and choose a phrase that will be displayed to anyone who tries to decrypt your disk without permission.

After clicking ‘Encrypt Disk’ you should reboot the computer, enter the new disk password, and then wait a few hours for the encryption to complete. You can check the progress of the encryption at Apple menu > System Preferences > Security & Privacy > FileVault tab. Leave the computer plugged in to power until encryption is complete.

You now have a computer with two separate passwords at boot: one to decrypt the disk and another to login to your user account. To change the disk password you can decrypt the disk fully then encrypt it again with a different password. Decrypting the disk is done by right-clicking the disk icon from the desktop and selecting ‘Decrypt “MacintoshHD”…’

Mac OS X 10.10 Yosemite introduces a new password behaviour which takes effect after encrypting your disk using the above method. If you add a new user account or change user admin privileges they may automatically be added to a list of users who can decrypt the disk with their user password - entirely bypassing the disk password. If this has happened you will see options other than ‘Disk Password’ at boot. Removing all users from this list will restore the desired password behaviour - a mandatory disk password that is independent of any user passwords.

You can remove users from the list by entering a command at the prompt (using the Terminal app). Since the command is run under sudo you will need to enter your user password when prompted. Replace ‘username’ with the actual username to be removed:

sudo fdesetup remove -user username

You’ll know all users have been successfully removed when rebooting the computer only gives you the ‘Disk Password’ option.

As with all good encryption implementations the only way to access the disk is with the correct password. If you forget the disk password you lose all access to the disk.