Better FDE Passphrase with macOS FileVault

By Tim Medin | January 26, 2018

I use full disk encryption (FDE) on all my laptops and portable media. I like to have a very strong passphrase for these, one that is even stronger than that for my user accounts. Let’s be realistic, very very few people are going to use a 60 character passphrase for their daily account, but I wouldn’t mind using that to unlock my laptop since I only have to enter it so rarely (and I go through customs a lot). With the Mac, there isn’t a nice built in way to have a long unlock passphrase for FileVault and a more reasonable one for day to day use of the laptop. However, we can use the features we have in the OS to make this happen.

Summary

  • User 1 (“unlock”) used solely to unlock the disk. This user has a long, secure passphrase. You won’t use the device as this user. This user does not need to be an administrator.
  • All other users, the day-to-day users/admins have a more manageable passphrase. At least one of these users is an administrator.

Summary of steps

  1. Create an “unlock” standard user with a looooong passphrase
  2. Allow the “unlock” user to unlock the disk
  3. Reboot and confirm access via “unlock” user
  4. Disallow the day-to-day user from decrypting the disk

Details

1. Create the “unlock” user.

a. Go to the System Preferences and click on “Users & Groups”. The user does not need to be an administrator. I made my user a “standard user” so even with the correct passphrase to unlock the drive a second account is needed to administer the system. There really isn’t an extra burden as you aren’t going to be running as the “unlock” user anyhow.

b. Create the “unlock” user and select a loooooooooooong passphrase (DO NOT LOSE THIS!).

2. Allow the new user to encrypt the disk.

a. Go to System Preferences and click on Security & Privacy.

b. Click on Enable Users

c. Click on “Enable User”.

d. Enter the long passphrase for the “unlock” user.

e. Ensure the green check mark is shown.

3. Reboot

a. Confirm you can login as the “unlock” user.

b. Logout of the “unlock” user and back into the account that has administrative access.

4. Disallow the day-to-day user from decrypting the disk

a. Open the terminal and type the following (replace “redsiege” with your day-to-day username):

sudo fdesetup remove -user redsiege

b. Repeat 4a for other users on the system EXCEPT the “unlock” user.

c. Reboot and confirm. Unlock the disk with “unlock” and the long passphrase, logout of “unlock”, then login as your normal user and works as usual!

Conclusion

You can now user a really long passphrase to protect your data when your laptop is powered off and booted. This is really nice if you have to cross any borders and want to make the passphrase that secures your data much better. Bonus points if you change the long passphrace, leave the data with a trusted individual, then ask athe trusted source for the info once you get through customs. That way customs can’t make you decrypt the data since you can’t!

Using Microsoft Dev Tunnels for C2 Redirection

By Red Siege | April 9, 2024

by Justin Palk, Senior Security Consultant   As penetration testers, we’re always on the lookout for new ways to get our command-and-control (C2) traffic out of a client’s network, evading […]

Learn More
Using Microsoft Dev Tunnels for C2 Redirection

SSHishing – Abusing Shortcut Files and the Windows SSH Client for Initial Access

By Red Siege | April 1, 2024

By: Alex Reid, Current Red Siege Intern   In the April 2018 release of Windows 10 version 1803, Microsoft announced that the Windows OpenSSH client would ship and be enabled […]

Learn More
SSHishing – Abusing Shortcut Files and the Windows SSH Client for Initial Access

Navigating Active Directory Security with EDD

By Red Siege | March 21, 2024

Tool developed by: Chris Truncer   Leverage EDD for Advanced Offensive Strategies EDD serves as a critical tool for offensive security professionals, enhancing domain reconnaissance with .NET efficiency. It facilitates a […]

Learn More
Navigating Active Directory Security with EDD

Find Out What’s Next

Stay in the loop with our upcoming events.