It is not very easy to have separate passwords to unlock the full disk encryption (File Vault) and the user account on OS X. It tries very hard to synchronize the login users and the File Vault users, but with a few Terminal commands it is possible to separate them by creating another account that can only be used to unlock File Vault.
sudo fdesetup validaterecoveryand entering it in Terminal.)
First, open System Preferences and go to the Users & Groups pane. Create a new standard user. This will be the account seen when the computer is turned on and File Vault needs to be unlocked, so name it accordingly and set a strong password. For the short username, I used
filevaultlogin so it can be managed easily. Finalize it, then click on the Login Options tab and uncheck ‘Show fast user switching menu as…’. Close System Preferences and open Terminal.
In Terminal, run
sudo dscl . create /Users/filevaultlogin IsHidden 1. (Change
filevaultlogin to the correct short name.) This command sets the account to hidden. This does not affect File Vault’s list but it will no longer appear in the standard login list or System Preferences. This has the side effect of showing an ‘Other Users’ option in the login list, which can be hidden by running
sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool NO.
sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES. This command allows for a different account to be used to unlock File Vault and log in to the computer.
The above instructions added a new account that can be used to unlock File Vault only. At this point, you should restart and ensure that this is true. If this is correct, you can disable your standard user login from File Vault by running
sudo fdesetup remove -user <shortname> (replacing your account’s shortname). Reboot again to check your work; no further setup is required.
Undoing the change
To reenable a user account for File Vault unlocking, run
sudo fdesetup add -usertoadd <shortname>. This command asks for two passwords. In the first line, enter either the recovery key or any valid File Vault login. In the second, enter the password for the account you are adding. Unhide the File Vault account with
sudo dscl . create /Users/filevaultlogin IsHidden 0, allow skipping the second login with
sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool NO, and delete the File Vault account in System Preferences. To show the ‘Other Users’ option again (for the root account or other purposes), run the same command as above, replacing