FileVault 2 Settings?

[maverick100]

First; thanks to everyone that gives help to all the Mac users on this forum and all the forums on MacRumors. I have learned so much from your knowledge and expertise.

When I do a startup from an iMac that is using has been Filevaulted I am unable to find a way to have the login screen show the username and password screen. From a startup it shows the Picture for that user; shows their user name and only asks for the password.

It does show just the user name and password; if I logout.

I am sure I am just missing something. Thanks in advance for the help.

 

[0128672]

I'm a little unclear about what you're asking. Screenshots might be helpful here. You can adjust the login settings for users in the Users & Password preference > Login Options even if Filevault is active.

Which option is currently being used and which one would you prefer?

 

[maverick100]

I'm a little unclear about what you're asking. Screenshots might be helpful here. You can adjust the login settings for users in the Users & Password preference > Login Options even if Filevault is active.

Which option is currently being used and which one would you prefer?

View attachment 2048875

Thanks for the info. I will take some pictures with my iPhone and post. I was afraid I would not be able to explain what happens. thanks for the help.

 

[0128672]

Thanks for the info. I will take some pictures with my iPhone and post. I was afraid I would not be able to explain what happens. thanks for the help.

You can create screenshots on your Mac too and post them here. That might be easier and more clear than iPhone photos.

 

[maverick100]

You can create screenshots on your Mac too and post them here. That might be easier and more clear than iPhone photos.

thanks. I must be doing something wrong, I am unable to do a screen capture of the login screen. How do you do that?

 

[0128672]

Command-shift-4 will let you take a partial screen screenshot, so you can drag over the area you want to use. This is useful for excluding personal details in the screen. It will save it to your desktop. To add it to a Macrumors post, tap on the image icon in the post, and drag and drop the image from your desktop into that box. To get a screenshot of the whole screen, use command-shift-3.

Take a screenshot on your Mac - Apple Support

Quickly save what's on your screen.

support.apple.com

Edited: are you trying to take an image of the Login Options screen or the actual login screen itself? If the latter, you won't be able to do that. I was asking for a shot of your Preferences > Users & Groups > User > Login Options screen.

 

[maverick100]

Command-shift-4 will let you take a partial screen screenshot, so you can drag over the area you want to use. This is useful for excluding personal details in the screen. It will save it to your desktop. To add it to a Macrumors post, tap on the image icon in the post, and drag and drop the image from your desktop into that box. To get a screenshot of the whole screen, use command-shift-3.

Take a screenshot on your Mac - Apple Support

Quickly save what's on your screen.

support.apple.com

Edited: are you trying to take an image of the Login Options screen or the actual login screen itself? If the latter, you won't be able to do that. I was asking for a shot of your Preferences > Users & Groups > User > Login Options screen.

thanks. I am file vaulting a backup of the main drive. I will send screen shots as soon as that is done. thanks again for the info.

 

[belvdr]

I believe @maverick100 is asking how to configure the machine to require a username and password on boot, where it is only asking for password and the user is auto-filled currently.

I don't know the answer; only here to help clarify.

 

[0128672]

I believe @maverick100 is asking how to configure the machine to require a username and password on boot, where it is only asking for password and the user is auto-filled currently.

I don't know the answer; only here to help clarify.

If that's the case, it would be the Name and Password option.

 

[0128672]

The reason I asked for a screenshot is it almost sounds like the OP might not be seeing the Login Options. A screenshot should help.

 

[maverick100]

thanks for all the help and suggestions. FileVault for me does not work; When starting from a startup; It shows the user icon and only asks for the password. To me that means security is breached. You only need the password to log in. Unable to take screen shot when booted in this mode. This happens even when and ssd is erased and a clean install is performed; and everything is started from scratch; only default apple apps installed.

I have given up on FileVault for now. Maybe I will try it again when the new OSX is released.

thanks again for all the help.

 

[NoBoMac]

That is how it's supposed to work, so not breached.

On Intel Macs without T2:

At boot, the recovery system starts and presents you with the accounts that are authorized to unlock the drive. The account list is kept in a file, EncryptedRoot.plist.wipekey, an encrypted file that contains the encrypted passwords for accounts that can unlock and the first of three encrypted encryption keys (at this stage, an encrypted key to decrypt the key used to decrypt the master encryption key).

When a remote wipe is requested for a machine, that file gets erased rendering the machine unbootable.

More info: https://www.cl.cam.ac.uk/~osc22/docs/cl_fv2_presentation_2012.pdf

On M and T Macs: wipe key file is replaced by the Secure Enclave, but works similar but iOS-ish in that the keys are stored encrypted in a key bag in the Secure Enclave.

https://help.apple.com/pdf/security/en_US/apple-platform-security-guide.pdf

On a Mac with Apple silicon and those with the T2 chip, all FileVault key handling occurs in the Secure Enclave; encryption keys are never directly exposed to the Intel CPU.
All APFS volumes are created with a volume encryption key by default. Volume and metadata contents are encrypted with this volume encryption key, which is wrapped with the class key. The class key is protected by a combination of the user’s password and the hardware UID when FileVault is turned on.

Once the machine drive is unlocked, you now get more options on your login screen.

 

[kitKAC]

thanks for all the help and suggestions. FileVault for me does not work; When starting from a startup; It shows the user icon and only asks for the password. To me that means security is breached. You only need the password to log in. Unable to take screen shot when booted in this mode. This happens even when and ssd is erased and a clean install is performed; and everything is started from scratch; only default apple apps installed.

I have given up on FileVault for now. Maybe I will try it again when the new OSX is released.

thanks again for all the help.

FileVault is working as that's how FileVault works on Intel Macs. You can't take a screenshot at that screen because macOS hasn't loaded yet, once you've unlocked the disk macOS continues to load and then takes you to the Desktop of the user account you logged in as. On Apple Silicon machines that have FileVault enabled, macOS boots first and then you get the normal login screen.

 

[0128672]

FileVault is working as that's how FileVault works on Intel Macs. You can't take a screenshot at that screen because macOS hasn't loaded yet, once you've unlocked the disk macOS continues to load and then takes you to the Desktop of the user account you logged in as. On Apple Silicon machines that have FileVault enabled, macOS boots first and then you get the normal login screen.

Again, it's the login options screen in Preferences > Users & Groups that I was asking for, not the actual login screen.

 

[kitKAC]

Again, it's the login options screen in Preferences > Users & Groups that I was asking for, not the actual login screen.

The options there don't make any difference to what's displayed at the FileVault login screen.

 

[maverick100]

The options there don't make any difference to what's displayed at the FileVault login screen.

Thanks you knew exactly what I was trying to do. Now I know much better how this works.

 

[0128672]

The options there don't make any difference to what's displayed at the FileVault login screen.

Yup, sorry, I didn't read back and hadn't realized there had been so many intervening posts to help define the issue. Glad to hear it's fixed.

 

[Apple_Robert]

If you want a little extra security, it would be a good idea to tick the box labeled name and password for the main login screen that @WildSky mentioned. That way, if someone decides to try and log into your Mac, said person will not be shown what your user name is and said person will have to get that right as well as your password before being able to get access to your Mac, along what the FileVault pass for disc unlocking on Intel Mac.

I have the name and password option ticked just incase anyone gets ideas or steals it. I want to make it as hard as I can for people.

 

[maverick100]

If you want a little extra security, it would be a good idea to tick the box labeled name and password for the main login screen that @WildSky mentioned. That way, if someone decides to try and log into your Mac, said person will not be shown what your user name is and said person will have to get that right as well as your password before being able to get access to your Mac, along what the FileVault pass for disc unlocking on Inel Mac.

I have the name and password option ticked just incase anyone gets ideas or steals it. I want to make it as hard as I can for people.

thanks for the hint. I have tried that several times. For me that only works when you have logged out from an iMac that was already logged in. For me it does not work on any Filevaulted computer that is started ups from a complete shutdown. thanks for the info.

 

[nmt1900]

Startup screen of a filevaulted Mac is not a login screen and cannot be configured from within the system as system itself is not booted when screen is displayed. The fact that it is made to look exactly like login screen might be good from the "seamlessness" perspective of the user experience, but does not show to user what is actually going on and thus it can be misleading. Defaulting to username/password style would certainly put many users off and would not be a viable option considering the fact that this screen is not configurable.

It is essentially baked in to EFI and its' configuration sits in the place which is not user-writeable (theoretically there might be a possibility to overcome it, but disabling SIP and all other related steps can be substantially bigger tradeoff in security).

 

[maverick100]

Startup screen of a filevaulted Mac is not a login screen and cannot be configured from within the system as system itself is not booted when screen is displayed. The fact that it is made to look exactly like login screen might be good from the "seamlessness" perspective of the user experience, but does not show to user what is actually going on and thus it can be misleading. Defaulting to username/password style would certainly put many users off and would not be a viable option considering the fact that this screen is not configurable.

It is essentially baked in to EFI and its' configuration sits in the place which is not user-writeable (theoretically there might be a possibility to overcome it, but disabling SIP and all other related steps can be substantially bigger tradeoff in security).

thanks for the info. I did not understand completely how this worked. Thanks again for your expertise !