macOS 10.13.4 High Sierra and later

What is FileVault?

FileVault is Apple’s marketing name for whole-disk encryption. The principle is very simple: Take a key, and encrypt the whole harddisk using that key. More specific: FileVault uses XTS-AES-128 encryption with a 256-bit key. This key in turn is stored on a special partition of the boot volume. Not in cleartext (guess why), but encrypted with the log-in password of each local user of that volume.

When a Macintosh starts up (all our Macintosh computers have encrypted boot volumes), a special firmware is loaded only to obtain this key by unlocking it with a password that an authorized user supplies. No operating system is loaded at that time – this happens after the disk is unlocked.

Active Directory users have a problem here

A network user managed by our Active Directory (AD) needs to be added separately as in general FileVault automatically adds only local users.

Manually adding AD users to FileVault

  • Let the AD user log in to create a mobile account (the AD plug-in should be configured to do that).

  • Restart and log in as a local administrator.

  • Open the Security and Privacy control panel of System Preferences and choose the FileVault tab.

  • Click the padlock and identify as administrator.

  • Click Enable Users next to the warning Some users are not able to unlock the disk. If such a warning is not present, there are no AD users to enable.

  • For each user in the list that pops up (typically the one logged in in step one of the above), enter its login password.

  • Click OK and close System Preferences.

  • Final step: Open Terminal, then

    • if the boot volume is formatted with HFS+ (older Macs), run the command
      sudo fdesetup sync
    • if the boot volume is formatted with APFS, run the command
      diskutil apfs updatepreboot ?volumeDevice?

    where volumeDevice is the device ID of the boot volume (not the container). For the default volume, the command

      diskutil apfs updatepreboot /

    can also be used.

Avoid auto-login after unlocking the startup volume

By default, macOS automatically logs in the user who has unlocked the startup volume at boot time. If this is not the intended behavior (for example for an 802.11X login or a network user being able to log in), log in as an admin user, open Terminal and tell FileVault to instead run the login window:

	sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES

If you wish to return to the default auto-login behavior, just delete the defaults key:

	sudo defaults delete /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin