![]() ![]() Also, in the event of theft you want to be confident that even your backups cannot be used to provide confidential information to the thieves. In the event of a need to restore from a back up you need a system that is robust – you don’t want to find that your backup is corrupted or otherwise of no use right when you need it. The importance of doing this correctly came to the fore of my thinking after my brother had his laptop stolen. It was way too hard, but I figured out how to have different passwords for FDE (FileVault 2) and sudo/login in macOS following article describes how I’ve set up a system for Mac backups that is robust and secure. Note: Carbon Copy Cloner has opinions about how you should enable FileVault 2, ignore them, because it wants you to get the nicely integrated user/password experience that we are trying to avoid :)įinally, you might want to follow me on Twitter. don't forget to securely wipe the external drive.use CCC to restore your system from the external drive to the target drive.use CCC to create a Recovery HD on the target drive.use Disk Utility to Erase the target drive, making a single "Mac OS Extended (Journaled)" partition.use CCC to make a bootable copy of your system on an external drive.(Really make a backup.) You have two options: either unencrypt and follow the instructions above, or wipe the drive and use Carbon Copy Cloner. Once booted into an external drive, open Finder, right click on the Macintosh HD disk in the sidebar and select Encrypt.ĭon't forget to securely wipe the external drive. CCC is also excellent to manage the Recovery HD partition if you end up nuking it.īoot pressing option to select the boot disk. The easiest way to do this is by using Carbon Copy Cloner to make a bootable drive. You first need to boot from an external drive. This is a little trickier, and I wouldn't do this without a backup. Choose "Mac OS Extended (Journaled, Encrypted)" and select your FDE passphrase.Įxit Disk Utility, connect to Wi-Fi, and (re)install macOS on the Macintosh HD partition. Then, select the Macintosh HD partition (not the whole drive, you don't want to kill the Recovery HD and make the installer shrink your partition to make a new one) and click Erase. If you are installing a new machine and don't care about wiping the entire thing, it's fairly easy.įirst, boot into recovery mode by pressing ⌘-R while starting the machine, and select Disk Utility. Getting there is not easy, but once we do the firmware just happily asks for our "Disk Password", unlocks the disk, and continues booting. What we want is a mix of the external drive encryption with its custom passphrase and the Recovery HD boot process. In that case there is no Recovery HD, and there is a single encrypted partition, which can be unlocked not by username/password pairs, but by plain disk passwords. The FileVault 2 encryption is controlled by the resident OS and unlockable by a set of username/password accounts.įileVault 2 can also be used to encrypt external drives. So the default FileVault 2 FDE setup involves a unencrypted hidden Recovery HD, and an encrypted container partition, with your actual partitions inside. This is the system that decrypts the main partition and then boots from it when you have FDE enabled. How it does that is with an EFI firmware, and the support of a couple hidden partitions, one of them called Recovery HD. If you boot pressing ⌘-R, for example, it will boot into a recovery mode capable of reinstalling the system. MacOS can do a lot of things before booting the main system. ![]() However, support for it is present in the firmware. There is no documented way of setting different passwords for the disk encryption and the OS user. Overloading the login/unlock/sudo password is an understandable UX simplicity choice, but makes it very hard to manage the security tradeoff: you want an easy to type password for login (which can't be bruteforced offline), but you want a complex long passphrase for FDE. ![]() Normally, it's turned on from System Preferences, and locks the disk with the passwords of all the users allowed to unlock the machine. Setting a custom FileVault (macOS FDE) passphraseįileVault 2 is the full-disk encryption system of macOS. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |