Discreet way of login in ? Read inside for details of my question

[jdaniel]

Hi guys I need some help... I have posted about this a very long time ago and no one responded.

As far as I understand it, there are 2 ways of login in.

1. You see the icons and you pick your name and you enter your password, in this method you see all the users that are on the system, but your can encrypt your hdd.

2. If you use discreet login, where you dont see icons, you have to enter your username and password. As far as I understand it you cannot encrypt your drive in this mode.

I would like to login using method 2, but leave the drive encrypted. Solutions? I don't want people to be able to see the various users on the mac I would like my mac to be secure and encrypted ....

THANKS !

 

[NoBoMac]

Well, no responses since, I believe, pretty much can't do what you want.

A workaround: create a dummy account solely for unlocking the disk drive, and have only that account be able to unlock the drive. Once machine is up and running, can sign-out, and have the machine configured to provide the text entry boxes for user-id/password.

 

[997440]

Yes, don't believe you can the way you want.
Best explanation, to the why, I found was at ASC by, Peter Link --
https://discussions.apple.com/message/15823532#message15823532

 

[KALLT]

To supplement NoBoMacs suggestion with some improvements:

• You can disable the automatic login after the FileVault unlock with the following command (which prevents the unnecessary login into the dummy account):
  

  sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES

• To restrict access to FileVault to the dummy account only, you can use this command to remove other users:
  

  sudo fdesetup remove -user username

  You can get a list of users that are currently allowed to unlock FileVault with this:
  

  sudo fdesetup list

• You can hide the dummy account from the GUI completely with either of these commands:
  

  sudo dscl . create /Users/dummyaccount IsHidden 1
  sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add dummyaccount

Alternatively, you can get around FileVault entirely by simply turning your partition into an HFS+ (Journaled, Encrypted) partition (which is practically the same encryption scheme, just without the niceties of FileVault, such as the separate recovery key and the ability to unlock the drive per user). This will accordingly remove the EFI login behaviour entirely and resort to a simple unlocking process that requires your encryption key, rather than a password. You can do this with the following command:

sudo diskutil cs convert diskidentifier -passphrase yourencryptionkey

You can find your disk identifier (‘BSD device node’) in Disk Utility or with diskutil list. You have to turn off FileVault before and let the decryption process finish, of course.

 

[jdaniel]

thanks guys lots to read will look through and post back with questions if any and most certainly updates
[doublepost=1469954886][/doublepost]

To supplement NoBoMacs suggestion with some improvements:

• You can disable the automatic login after the FileVault unlock with the following command (which prevents the unnecessary login into the dummy account):
  

  sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES

• To restrict access to FileVault to the dummy account only, you can use this command to remove other users:
  

  sudo fdesetup remove -user username

  You can get a list of users that are currently allowed to unlock FileVault with this:
  

  sudo fdesetup list

• You can hide the dummy account from the GUI completely with either of these commands:
  

  sudo dscl . create /Users/dummyaccount IsHidden 1
  sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add dummyaccount

Alternatively, you can get around FileVault entirely by simply turning your partition into an HFS+ (Journaled, Encrypted) partition (which is practically the same encryption scheme, just without the niceties of FileVault, such as the separate recovery key and the ability to unlock the drive per user). This will accordingly remove the EFI login behaviour entirely and resort to a simple unlocking process that requires your encryption key, rather than a password. You can do this with the following command:

sudo diskutil cs convert diskidentifier -passphrase yourencryptionkey

You can find your disk identifier (‘BSD device node’) in Disk Utility or with diskutil list. You have to turn off FileVault before and let the decryption process finish, of course.

ok first of all thanks, let me get this straight.. so once I am done decrypting... while the disk is in use and without losing any data or reformating.. I can with this command transform my disk which is now on OS X extended to HFS+ ?

sudo diskutil cs convert diskidentifier -passphrase yourencryptionkey , so diskidentifier is the name of my HD or whatever that pops up using diskutil list and "yourencrytptionkey" what is that exactly the current password for my HD or password i want it to be which is essentially the same thing

 

[KALLT]

ok first of all thanks, let me get this straight.. so once I am done decrypting... while the disk is in use and without losing any data or reformating.. I can with this command transform my disk which is now on OS X extended to HFS+ ?

Not quite! You are already using HFS+ (called ‘Mac OS Extended’ in Finder and Disk Utility). HFS+ has no encryption capabilities, so Apple created a wrapper for HFS+ that provides volume encryption in its stead: CoreStorage. When you enable FileVault, your system wraps your HFS+ partition in the CoreStorage format and encrypts the contents. It does this at runtime. You can access this functionality with the command I gave you. However, as you enabled FileVault already, your drive is presently an encrypted CoreStorage. One way to do this is to disable FileVault and wait for the decryption to be completed.

sudo diskutil cs convert diskidentifier -passphrase yourencryptionkey , so diskidentifier is the name of my HD or whatever that pops up using diskutil list and "yourencrytptionkey" what is that exactly the current password for my HD or password i want it to be which is essentially the same thing

When you type diskutil list into a Terminal window, you get a list of your disks and volumes. It looks like this:

/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *250.0 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:          Apple_CoreStorage                         249.2 GB   disk0s2
   3:                 Apple_Boot Boot OS X               650.0 MB   disk0s3
/dev/disk1
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                  Apple_HFS Macintosh HD           *248.8 GB   disk1

My main partition has the disk identifier disk0s2, currently a CoreStorage volume which contains the HFS+ volume called Macintosh HD (which has the identifier disk1). Normally, you do not have to reverse the entire process to re-encrypt the volume or change the passphrase, but the problem is, as I understood it, that FileVault never gives you the actual passphrase of the drive and you cannot perform diskutil cs decryptvolume or diskutil cs changevolumepassphrase without it.

Maybe @Weaselboy knows more about this, but that is what I know.

 

[jdaniel]

ok great one more clarification I assume your response is as such bcoz there's HFS+ and HFS+ journaled and encrypted is that right? which are two diff things I just thought its one thing. they have changed the way capitan works you can no longer easily use disk utilities to see the various options. but whatever you are saying basically boils down to once FileVault is decrypted i can redo it using a non FileVault method that you have mentioned .. but I'm still not clear about this passphrase thing it seems you don't mean a new password or the current user password so what do u mean exactly?

 

[KALLT]

but I'm still not clear about this passphrase thing it seems you don't mean a new password or the current user password so what do u mean exactly?

FileVault has additional functionality that is optional to encrypted CoreStorage. When you enable FileVault, the system creates separate ‘passphrases’ for each user account (i.e. the account password) in addition to a recovery key (which is also a passphrase). Each of these passphrases decrypts the actual encryption key of the volume, which is unbeknownst to you. When you create an encrypted CoreStorage volume with diskutil however, you have to specify this passphrase yourself and it is not tied to your user account. You can choose whatever you want, you will need to use this passphrase whenever you boot your Mac. You can reuse your password, if you want, but you don’t have to.

 

[jdaniel]

FileVault has additional functionality that is optional to encrypted CoreStorage. When you enable FileVault, the system creates separate ‘passphrases’ for each user account (i.e. the account password) in addition to a recovery key (which is also a passphrase). Each of these passphrases decrypts the actual encryption key of the volume, which is unbeknownst to you. When you create an encrypted CoreStorage volume with diskutil however, you have to specify this passphrase yourself and it is not tied to your user account. You can choose whatever you want, you will need to use this passphrase whenever you boot your Mac. You can reuse your password, if you want, but you don’t have to.

right understood, I appreciate you taking the time to assist. It is now in the process of decrypting I shall post back. Once its done. Thanks

 

[jdaniel]

FileVault has additional functionality that is optional to encrypted CoreStorage. When you enable FileVault, the system creates separate ‘passphrases’ for each user account (i.e. the account password) in addition to a recovery key (which is also a passphrase). Each of these passphrases decrypts the actual encryption key of the volume, which is unbeknownst to you. When you create an encrypted CoreStorage volume with diskutil however, you have to specify this passphrase yourself and it is not tied to your user account. You can choose whatever you want, you will need to use this passphrase whenever you boot your Mac. You can reuse your password, if you want, but you don’t have to.

This is the error message Im getting:
Error converting disk to CoreStorage: The target disk is already in use by Core Storage (-69753) what does that mean... I am supposed to choose the one that is currently macintosh hd right?

Ok so I restarted, and I had an issue it was going to a recovery disk utility screen... I did a disk repair and it restarted fine... I am gonna test again later with my TB display attached... now I ran the utility again and this is what I am getting:

Started CoreStorage operation on disk0s2 Macintosh HD

Resizing disk to fit Core Storage headers

Creating Core Storage Logical Volume Group

Reviewing boot support loaders

Attempting to unmount disk0s2

Switching disk0s2 to Core Storage

Couldn't unmount disk0s2; converted volume won't appear until it's unmounted


Finished CoreStorage operation on disk0s2 Macintosh HD

Encryption in progress; use `diskutil coreStorage list` for status

 

[KALLT]

What’s the output of diskutil list?

 

[jdaniel]

What’s the output of diskutil list?

#: TYPE NAME SIZE IDENTIFIER

0: GUID_partition_scheme *750.2 GB disk0

1: EFI EFI 209.7 MB disk0s1

2: Apple_CoreStorage Macintosh HD 749.3 GB disk0s2

3: Apple_Boot Recovery HD 650.0 MB disk0s3

/dev/disk1 (external, physical):

#: TYPE NAME SIZE IDENTIFIER

0: GUID_partition_scheme *1.0 TB disk1

1: EFI EFI 209.7 MB disk1s1

2: Apple_HFS HD 999.9 GB disk1s2

JDs-MacBook-Pro:~ JD$

And for:
CoreStorage logical volume groups (1 found)

|

+-- Logical Volume Group 866A5471-4E85-44A4-8460-916E6A571285

=========================================================

Name: Macintosh HD

Status: Offline

Size: 0 B (0 B)

Free Space: -none-

|

+-< Physical Volume 8932F78C-6882-4EAF-BB27-CC980D9FF5D9

----------------------------------------------------

Index: 0

Disk: disk0s2

Status: Checking

Size: 749296615424 B (749.3 GB)

JDs-MacBook-Pro:~ JD$
CoreStorage logical volume groups (1 found)

|

+-- Logical Volume Group 866A5471-4E85-44A4-8460-916E6A571285

=========================================================

Name: Macintosh HD

Status: Offline

Size: 0 B (0 B)

Free Space: -none-

|

+-< Physical Volume 8932F78C-6882-4EAF-BB27-CC980D9FF5D9

----------------------------------------------------

Index: 0

Disk: disk0s2

Status: Checking

Size: 749296615424 B (749.3 GB)

JDs-MacBook-Pro:~ JD$
CoreStorage logical volume groups (1 found)

|

+-- Logical Volume Group 866A5471-4E85-44A4-8460-916E6A571285

=========================================================

Name: Macintosh HD

Status: Offline

Size: 0 B (0 B)

Free Space: -none-

|

+-< Physical Volume 8932F78C-6882-4EAF-BB27-CC980D9FF5D9

----------------------------------------------------

Index: 0

Disk: disk0s2

Status: Checking

Size: 749296615424 B (749.3 GB)

JDs-MacBook-Pro:~ JD$
CoreStorage logical volume groups (1 found)

|

+-- Logical Volume Group 866A5471-4E85-44A4-8460-916E6A571285

=========================================================

Name: Macintosh HD

Status: Offline

Size: 0 B (0 B)

Free Space: -none-

|

+-< Physical Volume 8932F78C-6882-4EAF-BB27-CC980D9FF5D9

----------------------------------------------------

Index: 0

Disk: disk0s2

Status: Checking

Size: 749296615424 B (749.3 GB)

JDs-MacBook-Pro:~ JD$

 

[jdaniel]

so I think it's done it's work, but now when I login I have to log into the drive then I see my user log in?

 

[KALLT]

Yes, that is the point of this. Unlocking the drive is now a separate step that requires your passphrase instead of one of your account passwords. Afterwards you have to login, but you are free to choose how the login screen looks.

 

[jdaniel]

right so if I want the drive protected and the login discreet like that there's no other way right ? btw thanks

 

[KALLT]

No, there is no other way. It’s either FileVault in its full glory (and the workarounds I mentioned in my first post) or manual encryption using diskutil. Just make sure that you do not forget your passphrase. Making regular backups is definitely recommended.

 

[jdaniel]

great thanks!

 

[LCPepper]

Sorry to wade in here after so much effort has been spent.

But I have full FileVault turned on and the "discreet" login enabled, and I didn't do anything other than go and enable FileVault in settings...

As far as I am aware, the decryption passphrase is the password, so as long as one is entered that corresponds, then why would it make any difference to list or not, the usernames?

The functioning is the same, just how it is presented to the GUI is changed if you think about it logically...

I have accessed my MacBook Pro from another Mac over thunderbolt in the past, and had to just put in a password from one of my MBP's user accounts to get access through FileVault.

Edit: adding more waffle.

OKAY I SEE!

OP meant in terms of the initial login at boot up.

I just checked mine, and though when "logging off" after decryption/ user switching, you can enable the discreet login. But come from a fresh sesh, it doesn't use discreet methods!

Apologies for the unnecessary inconvenience! I shall leave my original pontification as means of a dunce hat!

Edit: stupidity

 

[ScoobyMcDoo]

I'm gonna wade in late too just to point out that there are third party solutions that could be explored. My company uses Dell Data Protection for the PCs here. They have an OS X version also - I don't use it, but I know it exists. I read about it a bit and I think it said it encrypts each file separately rather than using a sparse bundle, so maybe you can get the behavior you want.

 

[KALLT]

I'm gonna wade in late too just to point out that there are third party solutions that could be explored. My company uses Dell Data Protection for the PCs here. They have an OS X version also - I don't use it, but I know it exists. I read about it a bit and I think it said it encrypts each file separately rather than using a sparse bundle, so maybe you can get the behavior you want.

It is not a full-disk encryption though. FileVault used to be based on an encrypted sparse-bundle as well, but it proved to be unreliable and prone to security problems (the system still ‘leaks’ data outside of the user directory). Full-disk encryption is a more complete solution. That being said, it is of course possible to use additional methods, particularly data that might leave the system at one point.

As far as I am aware, the decryption passphrase is the password, so as long as one is entered that corresponds, then why would it make any difference to list or not, the usernames?

Some people like the added obscurity. It does not make much of a difference in terms of security though. Either the password is decent enough to fend off attacks, or it is not. It can certainly delay attacks if they have to figure out the usernames too, but the real protection comes from the password and if that’s decent, then the encryption is practically impossible to crack.

 

[jdaniel]

I'm basically trying to thwart *******s at customs who think it's ok to go through your computer this way I can just go into a dummy account, not that I have anything to hide, I just think it's offensive and invasive so they can go look at an empty account

 

[ScoobyMcDoo]

I'm basically trying to thwart *******s at customs who think it's ok to go through your computer this way I can just go into a dummy account, not that I have anything to hide, I just think it's offensive and invasive so they can go look at an empty account

Which country's customs logs into your account and peruses through your files? The closest I have ever come to that is TSA folks just powering it up to make sure it's really a computer.

 

[jdaniel]

they do though I've read about it Canada, US they look through your phones and computers even for citizens ... uggh

 

[jdaniel]

follow up question kallt, when I try to add a user it comes up as an icon right next to the disk password instead of being a discreet thing is there a way to make another user that's hidden like my main user?

 

[KALLT]

follow up question kallt, when I try to add a user it comes up as an icon right next to the disk password instead of being a discreet thing is there a way to make another user that's hidden like my main user?

I don’t understand what you mean. Adding a user to what and how? Where does this icon appear? Could you elaborate, or show a picture?