Separate File Vault and Login Passwords

Written by Josh on April 02, 2016

It is not very easy to have separate passwords to unlock the full disk encryption (File Vault) and the user account on OS X. It tries very hard to synchronize the login users and the File Vault users, but with a few Terminal commands it is possible to separate them by creating another account that can only be used to unlock File Vault.

Before starting any of these steps, ensure you have a current backup and know the recovery key. (You can check the recovery key is valid by running sudo fdesetup validaterecovery and entering it in Terminal.)

First, open System Preferences and go to the Users & Groups pane. Create a new standard user. This will be the account seen when the computer is turned on and File Vault needs to be unlocked, so name it accordingly and set a strong password. For the short username, I used filevaultlogin so it can be managed easily. Finalize it, then click on the Login Options tab and uncheck ‘Show fast user switching menu as…’. Close System Preferences and open Terminal.

In Terminal, run sudo dscl . create /Users/filevaultlogin IsHidden 1. (Change filevaultlogin to the correct short name.) This command sets the account to hidden. This does not affect File Vault’s list but it will no longer appear in the standard login list or System Preferences. This has the side effect of showing an ‘Other Users’ option in the login list, which can be hidden by running sudo defaults write /Library/Preferences/ SHOWOTHERUSERS_MANAGED -bool NO.

Finally, execute sudo defaults write /Library/Preferences/ DisableFDEAutoLogin -bool YES. This command allows for a different account to be used to unlock File Vault and log in to the computer.

The above instructions added a new account that can be used to unlock File Vault only. At this point, you should restart and ensure that this is true. If this is correct, you can disable your standard user login from File Vault by running sudo fdesetup remove -user <shortname> (replacing your account’s shortname). Reboot again to check your work; no further setup is required.

Undoing the change

To reenable a user account for File Vault unlocking, run sudo fdesetup add -usertoadd <shortname>. This command asks for two passwords. In the first line, enter either the recovery key or any valid File Vault login. In the second, enter the password for the account you are adding. Unhide the File Vault account with sudo dscl . create /Users/filevaultlogin IsHidden 0, allow skipping the second login with sudo defaults write /Library/Preferences/ DisableFDEAutoLogin -bool NO, and delete the File Vault account in System Preferences. To show the ‘Other Users’ option again (for the root account or other purposes), run the same command as above, replacing NO with YES.

Copyright © 2014-2016 Joshua Oldenburg