Making FileVault Use a Disk Password

31 Mar 2014

To unlock a disk that is encrypted with OS X’s FileVault feature one needs to type in the password that belongs to any user on the machine who is allowed to unlock the disk. The system then boots and helpfully logs you in as that user. In general that is probably a convenient little feature, but for me it just makes things awkward — I want to use different passwords for unlocking the disk and logging into my user account. To make that work I have to create a second account dedicated to unlocking the disk, get logged into that one when the system boots, then immediately log back out so I can log in as the user I actually want to use.

Or do I?

The system that powers FileVault, Core Storage, combines full disk encryption and some logical volume management features in a manner similar to LVM and LUKS on Linux. As a dedicated user of those features on my Linux-based machines, I jumped at the chance to read more about OS X’s version only to discover next to no official documentation whatsoever. On the bright side, after searching some more and then playing around with it for a while I finally figured out how to make it do everything I wanted it to do, including using a disk password. You just have to boot into recovery (or, in my case, the OS X 10.9 install DVD that I threw together) and use the command line.

Create a partition

Since this is a laptop I want to put everything on one huge partition. The utility that handles nearly everything related to disk management on OS X, diskutil, requires us to choose a type of filesystem for every partition we tell it to create, so for now we’ll just tell it to mark the partition as HFS+ and not bother to format it.

# diskutil partitiondisk disk0 1 gpt jhfs+ %noformat% 100%
Started partitioning on disk0
Unmounting disk
Creating the partition map
Waiting for the disks to reappear
Finished partitioning on disk0
/dev/disk0
   #:                       TYPE NAME    SIZE       IDENTIFIER
   0:      GUID_partition_scheme        *256.1 GB   disk0
   1:                        EFI EFI     209.7 MB   disk0s1
   2:                  Apple_HFS         255.7 GB   disk0s2

The system actually created two partitions for us. The first is a small EFI system partition, which helps the system start, and the second is the big partition for our data that spans the rest of the disk.

Or does it?

# gpt show disk0
      start        end  index  contents
          0          1         PMBR
          1          1         Pri GPT header
          2         32         Pri GPT header
         34          6
         40     409600      1  GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
     409640  499446368      2  GPT part - 48465300-0000-11AA-AA11-00306543ECAC
  499856008     262151
  500118159         32         Sec GPT table
  500118191          1         Sec GPT header

It seems to have left a little empty space in between the last partition and the boilerplate bits at the end of the disk. More on that later.

Create a volume group

The next step is quite familiar to LVM users. Before we can add encryption we need to create a logical volume group that combines one or more partitions (physical volumes) into a single virtual “disk” that we can slice up.

Why more than one disk? That’s how Fusion Drive works.

# diskutil cs create vg_sodium disk0s2
Started CoreStorage operation
Touching partition type on disk0s2
Adding disk0s2 to Logical Volume Group
Creating Core Storage Logical Volume Group
Switching disk0s2 to Core Storage
Waiting for Logical Volume Group to appear
Discovered new Logical Volume Group "A642DBC3-644C-4C23-8337-ADBCDD9C85F2"
Core Storage LVG UUID: A642DBC3-644C-4C23-8337-ADBCDD9C85F2
Finished CoreStorage operation

# diskutil cs list
CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group A642DBC3-644C-4C23-8337-ADBCDD9C85F2
    =========================================================
    Name:         vg_sodium
    Status:       Online
    Size:         255716540416 B (255.7 GB)
    Free Space:   255380987904 B (255.4 GB)
    |
    +-< Physical Volume A39FA7E9-F52F-4FFA-9A70-F07304111115
        ----------------------------------------------------
        Index:    0
        Disk:     disk0s2
        Status:   Online
        Size:     255716540416 B (255.7 GB)

# diskutil list disk0
/dev/disk0
   #:                       TYPE NAME       SIZE       IDENTIFIER
   0:      GUID_partition_scheme           *256.1 GB   disk0
   1:                        EFI EFI        209.7 MB   disk0s1
   2:          Apple_CoreStorage            255.7 GB   disk0s2
   3:                 Apple_Boot Boot OS X  134.2 MB   disk0s3

This changed the type of the second partition and constructed a volume group out of it, but it also created a third partition on which it can put whatever minimal data are needed to allow the system to boot from a Core Storage volume. With a quick look at the partition table we can see that it carved this out of the space it reserved at the end of the disk earlier:

# gpt show disk0
      start        end  index  contents
          0          1         PMBR
          1          1         Pri GPT header
          2         32         Pri GPT header
         34          6
         40     409600      1  GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
     409640  499446368      2  GPT part - 48465300-0000-11AA-AA11-00306543ECAC
  499856008     262144      3  GPT part - 426F6F74-0000-11AA-AA11-00306543ECAC
  500118152          7
  500118159         32         Sec GPT table
  500118191          1         Sec GPT header

Create a logical volume

LVM has three layers: physical volumes, volume groups, and logical volumes. Since Core Storage includes encryption it adds a fourth layer, the logical volume family, between the volume group and logical volume levels. When you boot a FileVault-enabled system it’s the volume family that your password unlocks. The final step before we can install OS X is to create an encrypted volume family and the logical volume that we will actually install onto.

# diskutil cs createvolume vg_sodium jhfs+ 'Macintosh HD' 100% -passphrase
Passphrase for new volume:
Confirm new passphrase:
Started CoreStorage operation
Waiting for Logical Volume to appear
Formatting file system for Logical Volume
Initialized /dev/rdisk13 as a 238 GB case-insensitive HFS Plus volume with a 24576k journal
Mounting disk
Core Storage LV UUID: 46A6CA83-9CDC-4978-ADF2-E4DC3F203DBD
Core Storage disk: disk13
Finished CoreStorage operation

# diskutil cs list
CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group A642DBC3-644C-4C23-8337-ADBCDD9C85F2
    =========================================================
    Name:         vg_sodium
    Status:       Online
    Size:         255716540416 B (255.7 GB)
    Free Space:   0 B (0 B)
    |
    +-< Physical Volume A39FA7E9-F52F-4FFA-9A70-F07304111115
    |   ----------------------------------------------------
    |   Index:    0
    |   Disk:     disk0s2
    |   Status:   Online
    |   Size:     255716540416 B (255.7 GB)
    |
    +-> Logical Volume Family AC7B483C-0524-4ACF-8083-9EFD963F81A5
        ----------------------------------------------------------
        Encryption Status:       Unlocked
        Encryption Type:         AES-XTS
        Conversion Status:       Complete
        Conversion Direction:    -none-
        Has Encrypted Extents:   Yes
        Fully Secure:            Yes
        Passphrase Required:     Yes
        |
        +-> Logical Volume 46A6CA83-9CDC-4978-ADF2-E4DC3F203DBD
            ---------------------------------------------------
            Disk:                  disk13
            Status:                Online
            Size (Total):          255380987904 B (255.4 GB)
            Conversion Progress:   -none-
            Revertable:            No
            LV Name:               Macintosh HD
            Volume Name:           Macintosh HD
            Content Hint:          Apple_HFS

Now we have a disk called “Macintosh HD” that is encrypted with its own non-user-specific password, formatted, and ready to go. Just switch back to the OS X installer and let it run.

Create a recovery key

After the installer finishes and the system reboots we see the familiar FileVault login screen with just one option: “Disk Password.” Success! Now we just enter that, run through the usual first-time boot stuff, and finally open up a terminal to create a recovery key:

$ sudo fdesetup changerecovery -personal
Enter a password for '/':
New recovery key = 'XPO6-E4OL-XQG6-TGV9-GFOZ-GB8M'

Add more users

Since I generally don’t log in with an administrative account I created a second, regular user, but then the next time I rebooted I discovered a problem: the FileVault password screen asked for the disk password or the new user’s password. Thankfully, removing that user from the list of choices is simple:

$ sudo fdesetup remove -user gholms

Open questions

Now that I have gone through all this my machine finally seems to be working exactly the way I want it to, but a few unanswered questions still remain in the back of my mind:

  • How am I supposed to do this on a newer Mac that ships with neither an install DVD nor an upgrade application that I can turn into one?
  • How do I make OS X stop automatically adding new users to FileVault’s password list?
  • Where is the official Core Storage documentation?

Do know the answers to any of these? Leave a comment!

2 Responses to “Making FileVault Use a Disk Password”

  1. friendly_hint_giver Says:

    Mr rtrouton at gmail dot com might have answers to your questions. He is writing the famous http://derflounder.wordpress.com/ blog.

  2. hspencer77 Says:

    Reblogged this on More Mind Spew-age from Harold Spencer Jr. and commented:
    Great use of FileVault on Mac OS X.


Comments are closed.