Restrict access to encrypted external disk to local standard user

[Thor774]

Hello.
My Mac had only 1 user (me) until now. This user has default admin rights.
I have 2 external disks encrypted, one with APFS the other Mac OS Extended (Journaled), they are always attached to my Mac and the encryption keys are stored in macOS keychain. I'm on macOS Monterey 12.6.
I just created a standard user locally for my daughter (no iCloud syncing). While logged as her I see that the user has access to the external disks. Is it possible to restrict / deny access from this account to these? I was thinking that there was a keychain per user on the system, and that standard users didn't have access to the encryption keys of external volumes from other users, but it looks like macOS share these keys with everybody logged locally in the system.
Any ideas on how to solve this?

 

[mfram]

It's not that the keys are "shared" to other users. The key is used to mount the drive to the system. Once the key is used to decrypt the drive and it is mounted, it is mounted to the entire machine. Use the "Get Info" option on the mounted drive. On the external drive I have mounted it appears the option "Ignore ownership on this volume" is set. That may be the default. That effect is that it disables security to access the drive. You'd have to turn that option off. Then you can set a folder on the drive (or the entire drive) turn off access to "staff" and "everyone". In other words, only allow access to your account.

 

[Thor774]

Thanks for the tip. Do you know if it is possible to activate a deny access permission just for a specific user account?
If I turn off access to staff and everyone and only let it enable for my account as you suggest, what would happen if I have to connect the external drive to another computer? Would the data be inaccessible after providing the decryption key if the only account that has access is set as my account on my Mac?

 

[gilby101]

Would the data be inaccessible after providing the decryption key if the only account that has access is set as my account on my Mac?

In Finder: Yes inaccessible, unless the two accounts have the same UID (the first user created on each is UID 501).
In Terminal: No, because you can use sudo to list or copy files with root access.

Do you know if it is possible to activate a deny access permission just for a specific user account?

Yes, it is possible. But it is more complex than just the RWX, user, group and world scheme inherited from unix. Modern OS's use Access Control Lists (ACLs) to create much more complex rules. Something like:

chmod +a "user deny list,add_file,delete,add_subdirectory" <path to folder>

man chmod has some examples.

See the second answer here https://apple.stackexchange.com/que...ess-restrict-permission-to-a-user-on-a-folder

From how you describe what you want, an ACL on top level folders (or even the volume) is the way to go. But you will need to experiment.