I decided I should get around to encrypting the data on my Mac hard drives, so a thief would not be able to access potentially sensitive information if I got my laptop stolen. I wanted a Whole Disk Encryption solution that works similar to Symantec PGP Whole Disk Encryption or TrueCrypt, but I didn’t want to pay for Symantec/PGP and (as far as I can tell) TrueCrypt doesn’t support System Encryption for Mac.
When FileVault first came out, I wasn’t too impressed. It seemed like a hack where Apple was just shoehorning user directories into encrypted disk images. Then I heard about performing whole disk encryption using FileVault 2. This sounded pretty good and Apple seems to be doing security right so I decided to explore the FileVault 2 option.
First I went int System Preferences -> Security & Privacy -> FileVault. As I read about FileVault I found it is designed to encrypt the disk encryption key with a key derived from each user’s password. I didn’t want my disk encryption key protected by weak passwords and I didn’t want to be inconvenienced by having to enter extremely long/strong passwords for normal unlocking of the computer. It only took a slight hack of MacOS built in features to accomplish this.
Mac OS WDE Steps
- Create a new Administrator account. This will be your unlocking account, so name it and create a password accordingly.
Note: We are creating a separate account, because FileVault can only be enabled from an Administrator account, but you cannot remove the ability to unlock the drive once it has been granted.
- Logout and login with the new unlocking account
- Open System Preferences -> Security & Privacy -> FileVault
- Click “Turn On FileVault…”
- Follow the steps to turn on FileVault. I chose not to send a recovery key to Apple.
- Wait for the encryption to finish.
- Logout with your unlocking account.
- Login with another Administrator account.
- Open System Preferences -> Users & Groups
- Select the unlocking account and uncheck “Allow user to administer this computer”
- Check “Enable parental controls” and click “Open Parental Controls…”
- Now restrict this account, so it is unusable for general use and can only reasonably be used to unlock the hard drive.
- Under Apps
- Check “Use Simple Finder”
- Check “Limit Applications”
- Uncheck all “Allowed Apps:”.
Note: I went back and allowed the GoogleSoftwareUpdateAgent and SIMBL Agent, because these were giving me permission errors when logging in.
- Under Web
- Select “Allow access only to these websites” and do not include any websites in the list.
- Under People, deselect all options
- Don’t make any changes under “Time Limits”
- Under Other
- Check all option.
Note: Checking “Disable changing the password” is especially important if you share the password to allow a few people to unlock the computer.
- Check all option.
- Under Apps
Now when you boot your computer, you will be presented by a screen asking for the password to your unlocking account. Once you login to the unlocking account, you will not have access to any applications, so the only reasonable thing to do is logout. Then you will have the option to login to on of the other accounts on the system.