Making FileVault Use a Disk Password -- 10.14 Edition

I previously wrote about how to make Mac OS’s FileVault disk encryption feature use separate passwords for unlocking the disk and logging into the system once it is running. This allows for better separation of concerns, but it goes against the proverbial grain, as the front end for FileVault tries its best to keep the passwords for unlocking the disk in sync with passwords for user accounts in an effort to keep people from locking themselves out of their machines.

This design remains true today, though the tech is different: rather than using HFS+ volumes and Core Storage volume groups, Mac OS now uses APFS volumes and APFS containers to do the same job. Surprisingly, the main roadblock that caused me to write this article is not the new storage back end, but rather several changes to Mac OS 10.14 that make it far more aggressive about the way it handles FileVault passwords:

When initial setup runs from a FileVault-encrypted disk, it refuses to create the first user unless it can also add that user to FileVault.
fdesetup, the tool for managing users on FileVault volumes, refuses to delete the last user from a volume even if that volume has a disk password.
The boot-time program that unlocks the disk refuses to allow one to enter a disk password at all if the volume has any users.
You cannot add a disk password to a volume with users.

Previously, one could simply install the system as usual and delete the user created during initial setup, but these changes now make that impossible. I worked around this by skipping initial setup entirely.

Create an APFS container and volume

APFS is similar to ZFS and btrfs in that formatting a partition with it creates a container and carves that up into thin volumes that occupy only the space that their contents need. An APFS volume can optionally reserve a minimum amount of space or specify a maximum that it is allowed to take, but by default it has neither. Creating an APFS container and an encrypted volume to install Mac OS onto is simpler than it was with Core Storage, taking only two commands while booted into an installer disk:

# diskutil apfs createcontainer disk0s2
Creating container with disk0s2
Started APFS operation on disk0s2 Untitled
Creating a new empty APFS Container
Unmounting Volumes
Switching disk0s2 to APFS
Creating APFS Container
Created new APFS Container disk1
Disk from APFS operation: disk1
Finished APFS operation on disk0s2 Untitled

# diskutil apfs addvolume disk1 apfs 'Macintosh HD' -passprompt
Passphrase:
Repease passphrase:
Exporting new encrypted APFS Volume "Macintosh HD" from APFS Container Reference disk1
Started APFS operation on disk1
Preparing to add APFS Volume to APFS Container disk1
Creating APFS Volume
Created new APFS Volume disk1s1
Mounting APFS Volume
Setting volume permissions
Disk from aPFS operation: disk1s1
Finished APFS operation on disk1

Though the underlying technology is different, logically, this setup is largely the same as what we had before.

# diskutil apfs list
APFS Container (1 found)
|
+-- Container disk1 1AA9AEE4-521E-4AA6-9BA9-08FD20DBF6AE
    ====================================================
    APFS Container Reference:     disk1
    Size (Capacity Ceiling):      380295426048 B (380.3 GB)
    Capacity In Use By Volumes:   149790720 B (149.8 MB) (0.0% used)
    Capacity Not Allocated:       380145635328 B (380.1 GB) (100.0% free)
    |
    +-< Physical Storage disk0s2 B0646769-963F-4322-89A5-4D2E63510C70
    |   -------------------------------------------------------------
    |   APFS Physical Store Disk:   disk0s2
    |   Size:                       380295426048 B (380.3 GB)
    |
    +-> Volume disk1s1 6296A941-52A6-42DF-93C6-363944FA5DB0
        ---------------------------------------------------
        APFS Volume Disk (Role):   disk1s1 (No specific role)
        Name:                      Macintosh HD (Case-insensitive)
        Mount Point:               /Volumes/Macintosh HD
        Capacity Consumed:         20480 B (20.5 KB)
        FileVault:                 Yes (Unlocked)

Now that the machine has an encrypted volume to install to, return to the installer and install Mac OS onto it. Once it is installed it will prompt for the disk password and then boot into initial setup.

Create the first user by hand

We can’t use the machine without creating a user, but if we proceed through the setup process to create one it will prompt for the disk password, add the new user to FileVault, and we will be stuck with it since we can’t remove it. Stuck between a rock and a hard place, we have little choice but to bypass this setup process entirely and try and replicate what it does by hand. Turn the machine off by quitting the installer with Command+Q, then reboot into single-user mode by holding Command+S and turning it back on again.

Once booted into single-user mode (note that since we didn’t create a user the disk password still works), we get to add the initial user by hand. This is a more ardurous process than it is on most other unix-ish systems because Mac OS stores user accounts in a directory service that it runs locally, similar to if a Linux machine were to run a small OpenLDAP instance instead of using passwd(5) and group(5) files. This service does not run in single user mode, so we need to remount the disk for writing and start it.

# mount -uw /
# launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist

Then add the bits that comprise a user account, one at a time. This will show some errors that appear to be there because the file name from the previous command is new in version 10.14 and the dscl command was never updated to address the change.

# dscl . -create /Users/gholms
# dscl . -create /Users/gholms UserShell /bin/zsh
# dscl . -create /Users/gholms RealName "gholms"
# dscl . -create /Users/gholms UniqueID 501
# dscl . -create /Users/gholms PrimaryGroupID 20
# dscl . -create /Users/gholms NFSHomeDirectory /Local/Users/gholms

UniqueID, the user’s ID number, can be any number greater than 500. The setup program normally uses 501 for the first user, so we do, too. The PrimaryGroupID of 20 corresponds to the staff group that all local users belong to.

The /Local portion of the home directory looks a bit strange, but it is mandatory and the new user will not be able to log in if it isn’t there.

Next, set a password for the new user and add that user to the admin group.

# dscl . -passwd /Users/gholms
# dscl . -append /Group/admin GroupMembership gholms

Admin users on Mac OS are typically members of far more than just the admin group. Skipping them may break some things, but I don’t log in using the admin account on my machine and it has yet to cause me any issues. Just be warned that it is not quite a stock configuration.

After this, create the new user’s home directory.

# install -d -o 501 -g 20 /Users/gholms

Finally, tell the system that initial setup has already run and then reboot.

# touch /private/var/db/.AppleSetupDone
# reboot

After reaching this point I unlocked the disk using the disk password, logged in as the new admin user, then created a non-admin user using System Preferences as usual.

Conclusion

Ultimately, it is still possible to continue using a disk password to boot Mac OS, but the tooling in 10.14 is far more hostile to it. To make matters worse, it does not appear to be possible to add recovery keys to such disks either:

# fdesetup changerecovery -personal
Enter the user name:

Apple’s intentions are certainly good — after all, they are simply trying to keep people from locking themselves out of their data by doing things that they don’t understand. Apple’s mistake in this release was to stop treating disk passwords and user passwords as equals and instead to consider disk passwords a degenerate case. That said, Apple could still make this scenario less painful without compromising this goal by making a few small tweaks:

Allow one to add a recovery key to a volume with no users. A recovery key can only make it harder to lock oneself out because it provides an additional means of unlocking the disk.
Allow disk passwords to unlock the disk even when user passwords are present. Again, as an additional means of unlocking the disk this can only make it more difficult to lock oneself out.
Allow one to delete the last user on a volume when a disk password is present. Disk passwords are not normally present on the boot volume, so when one is there it is there intentionally and one should be able to use it.
Do not insist on adding the initial user to a volume during system setup when a disk password is present. Again, when a disk password is present it is there for a reason and should be usable.

It is my hope that future releases of Mac OS will make separate FileVault disk passwords easier to manage than they are today, or at the very least, not make them more difficult. Disk passwords and user passwords are both useful use cases, and it is possible to support them equally without compromising the user experience for the majority who use only user passwords or making it easier for them to shoot themselves in the feet. Either way, at the moment this process seems to work. Documenting it is sure to help someone else out there who has the same needs as me.