Monday, September 09, 2013

Mountain Lion and the encrypted boot drive: Implications for migration assistant and what happens when you delete the only account that had FileVault 2 access (bug)

For several reasons I decided to enable encryption on my new SSD boot drive. I used the admin account on the drive. I then migrated data from my old drive, restarted, switched to my regular admin account, and deleted the admin account I'd created for drive setup.

That's the problem. Even though that account has been deleted, when I restart the Mac the startup partition (Apple_Boot Recovery HD?) I'm asked for the password for that account.

That sounds like a bug, but it could be worse. That's because when you setup a boot drive as FileVault, then use Migration Assistant, you have to enable FileVault unlocking for each of the migrated users. [1]. I'd unwittingly deleted the only account that was authorized to decrypt my boot drive.

Once I enabled my other accounts for unlocking they appeared on the startup menu -- along with my deleted admin account. So the deleted account is still used by the hidden boot partition, and it probably can't be deleted nor can the password be changed. So, yeah, it's a bug.

FileVault 2 makes me nervous.

See also:

  • [1] OS X: About FileVault 2 - Apple support. This is mandatory reading. "f you want to make the Mac available to a user that does not have unlock capabilities, log in, then when you see your own desktop, choose "Log Out (user name)" from the Apple () menu. Also, you can unlock the disk, then choose the other user's name from the Fast User Switch (appears as the currently-logged in user's name) menubar item in the upper-right part of the screen ... When FileVault 2 is enabled, Recovery HD does not appear in the Startup Manager (which is accessed by holding Option during startup).  However, you can select the Recovery HD by holding Command-R as Lion starts up."
  • OS X: How to create and deploy a recovery key for FileVault 2 - This might be the most advanced support article I've read. The recovery key for a FileVault 2 encrypted disk is shown ONCE on startup and cannot be later displayed, but using this method one can save a key that can be used when a password is forgotten. (Maybe this is what Apple does when you elect to save credentials with them.)
  • osx - Disable a user's ability to unlock a FileVault 2 volume at startup/login time - Ask Different: This is the best overview of the bug with FileVault 2 and inability to "remove, from the EFI loginwindow, a user who should no longer be able to unlock the startup volume."
  • Using fdesetup with Mountain Lion’s FileVault 2 | Der Flounder 7/2012 - Remove users from the list of FileVault enabled accounts.
  • training.apple.com/pdf/WP_FileVault2.pdf: Apple Technical White Paper. Best Practices for Deploying FileVault 2 - Deploying OS X Full Disk Encryption Technology

Update 9/11/2013

I tried sudo fdesetup list and the list did not include the unwanted user account. So I restarted and this time it didn't appear. So perhaps 1-2 restarts after enabling users took care of my orphaned EFI LoginWindow account.

I've seen some other odd behaviors, but I may get to those another time.

1 comment:

Martin said...

Where's the bug?

Since FileVault uses by the default the password of the user who initiated the encryption, you can still access your FileVault-protected data as long as you remember the password. There remains no hidden account after deleition. And you can of course set a new FileVault password if you remember the current password.

For improved security, it is recommendable to use a specific password for FileVault.