So I'm looking at finally getting around to upgrading to High Sierra, which will mean converting my SSD partitions to APFS.
Currently I have two partitions, one for macOS, applications and an administrator account, and another for all other user accounts, both partitions are encrypted. Now, my plan is to take advantage of APFS' ability to have multiple volumes in the same space by expanding the APFS container into the users partition before restoring the users from Time Machine into a new APFS volume, so the space is neatly shared.
It seems that with APFS I could go even further however, and instead of one volume for all users, I can have individual volumes for each user.
However, there's actually a quirk of my current setup that I quite like; because only the administrator is on the system partition, it isn't possible for other users to sign, as their home folders are on other volume that isn't initially unlocked. As a result, the administrator user must be the first to login, both to decrypt the system volume, but also to grab the users volume password from the system keychain and mount it, at which point it can sign out and other users can sign in as normal.
This has an interesting side advantage; because my administrator password is very strong, and the users volume password is just a long random string of characters, all of the user accounts are secure at rest, no matter how weak one of their passwords might be (not that any of them are, but they're easier to type for convenience).
If I were to change my setup to individual per-user volumes however, they would surely be as weak as each user's password, whether or not the administrator has been logged in.
So what I'm wondering is; is there any way to have per-user encryption that is protected by a second encryption key? For example, could I use my initial plan to retain a single users volume, but still encrypt each user's folder on top of that?
I've scoured around for guides on encryption, but unfortunately the search results are dominated by posts confused about the Filevault setting in system preferences, or posts examining Apple's initial announcement, so I haven't found anything exploring in-depth what is and isn't possible with APFS encryption yet (if I've missed one, do please share!). I've also taken a look at the manual entry for the diskutil command's apfs verb, but it's still not completely clear to me what is possible; it for example mentions a "disk" user, but is that just an extra user that can decrypt a volume?
The only other alternative I can think of would be to place an APFS container inside a Core Storage volume (so CS decryption would be required before any APFS volumes are accessible) but this seems unlikely to be supported for startup, and probably not a good long term idea assuming Apple's intention is to phase out Core Storage in favour of upgrading all CS use-cases to APFS.
Currently I have two partitions, one for macOS, applications and an administrator account, and another for all other user accounts, both partitions are encrypted. Now, my plan is to take advantage of APFS' ability to have multiple volumes in the same space by expanding the APFS container into the users partition before restoring the users from Time Machine into a new APFS volume, so the space is neatly shared.
It seems that with APFS I could go even further however, and instead of one volume for all users, I can have individual volumes for each user.
However, there's actually a quirk of my current setup that I quite like; because only the administrator is on the system partition, it isn't possible for other users to sign, as their home folders are on other volume that isn't initially unlocked. As a result, the administrator user must be the first to login, both to decrypt the system volume, but also to grab the users volume password from the system keychain and mount it, at which point it can sign out and other users can sign in as normal.
This has an interesting side advantage; because my administrator password is very strong, and the users volume password is just a long random string of characters, all of the user accounts are secure at rest, no matter how weak one of their passwords might be (not that any of them are, but they're easier to type for convenience).
If I were to change my setup to individual per-user volumes however, they would surely be as weak as each user's password, whether or not the administrator has been logged in.
So what I'm wondering is; is there any way to have per-user encryption that is protected by a second encryption key? For example, could I use my initial plan to retain a single users volume, but still encrypt each user's folder on top of that?
I've scoured around for guides on encryption, but unfortunately the search results are dominated by posts confused about the Filevault setting in system preferences, or posts examining Apple's initial announcement, so I haven't found anything exploring in-depth what is and isn't possible with APFS encryption yet (if I've missed one, do please share!). I've also taken a look at the manual entry for the diskutil command's apfs verb, but it's still not completely clear to me what is possible; it for example mentions a "disk" user, but is that just an extra user that can decrypt a volume?
The only other alternative I can think of would be to place an APFS container inside a Core Storage volume (so CS decryption would be required before any APFS volumes are accessible) but this seems unlikely to be supported for startup, and probably not a good long term idea assuming Apple's intention is to phase out Core Storage in favour of upgrading all CS use-cases to APFS.