Mojave & Filevault

[Tsimonj]

I formatted my hard disk as APFS encrypted, then installed Mojave.
When I did this with High Sierra I was asked for BOTH the disk password and then my login.
Under Mojave my User login now 'automatically' unlocks the disk (no separate disk password is requested).
For added security I WANT to be asked for both the Disk password and the user login.
I assume the disk password is 'stored somewhere in my keychain.
How do I remove the 'stored' disk unlock password from my account so that I have to use both passwords to unlock my computer?

 

[archvile]

I did the same thing, unfortunately it seems FileVault takes over unlocking the disk with your user account once you log in the first time. However, this level of security is fine with me as encryption is encryption and having a 2nd password is redundant if your login password is strong enough.

Maybe try searching through keychain to see if it is storing the disk password somewhere?

Also something most people forget - make sure you have enabled a Firmware password in recovery. Otherwise your levels of security are pretty much useless.

 

[posguy99]

Also something most people forget - make sure you have enabled a Firmware password in recovery. Otherwise your levels of security are pretty much useless.

Pointing out that not having a firmware password doesn't magically unlock the FileVault volume. All it prevents is someone erasing the FileVault volume and reinstalling the OS. Hardly "useless" security, as having FV or not doesn't stop someone from stealing the device from me, so my data is what matters. Not what they might or might not be able to physically do with the hardware afterwards...

 

[archvile]

Pointing out that not having a firmware password doesn't magically unlock the FileVault volume. All it prevents is someone erasing the FileVault volume and reinstalling the OS. Hardly "useless" security, as having FV or not doesn't stop someone from stealing the device from me, so my data is what matters. Not what they might or might not be able to physically do with the hardware afterwards...

I never said it had anything to do with FileVault specifically. I was referring more to if your computer gets stolen, of course your data would be secured, but the thief could simply wipe the OS (or do a PRAM reset, which for some inexplicable reason still disables Find my Mac) and continue to use it. They won't be able to do either of these with a Firmware password enabled. I was just throwing that out there because I don't think most people use it, as to most people it's "just another password to remember."

 

[tkermit]

Have a look at the man page for fdesetup.

sudo fdesetup remove -user <username>

should work:

The remove command will remove a user from FileVault given either the user
name or the FileVault UUID.

remove -uuid user_uuid | -user username [-verbose]
Removes enabled user from FileVault. It will not remove the
user if it's the last OS user on the volume.