It is not necessary to disable and re-enable FileVault 2 to modify any of its settings. As long as you can unlock a FileVault encrypted volume (i.e., you have access to a personal or institutional recovery key or simply the password of a FileVault-enabled user), you can modify FileVault 2 settings using the fdesetup
utility.
In my case, when I first got a new computer, I immediately started it in Recovery Mode (⌘R at startup), then manually converted Mac OS X's main partition to an encrypted volume using the diskutil coreStorage encryptVolume <logical-volume-UUID>
command from a terminal prompt. This resulted in a FileVault 2 pre-boot login window that created a "Disk Passphrase" user icon (because I had not yet created any actual user accounts in Mac OS X). After creating my actual user accounts, I wanted to remove this temporary password I had assigned earlier. To do so, I issued the following commands from an admin user:
sudo fdesetup list -extended
This returned output like this:
bash-3.2$ sudo fdesetup list -extended
Password:
ESCROW UUID TYPE USER
CB4118C3-8D9D-43E3-BF9E-C3EF71C3C2D6 Disk Passphrase User
D934966C-D556-4A25-917F-EEC109C0FFAD OS User ExampleUser
F94E6F5D-B764-968F-AAE4-0BD4E88A489F OS User AdminUser
Notice how there were three entries listed, despite the fact that my system had only two user accounts. The following command removed the "Disk Passphrase" user icon from the FileVault pre-boot screen:
sudo fdesetup remove -uuid CB4118C3-8D9D-43E3-BF9E-C3EF71C3C2D6
Of course, UUID value will probably be different on your machine. You can use the fdesetup remove
command to remove any listed entry, not just a Disk Passphrase one.
See man fdesetup
for details.
Creating an encrypted volume before writing any personal data to it is the recommended way to provide maximum security for your data at rest. As the OP mentioned, the whole point of using FileVault is to ensure that at no point is your data written to the drive unencrypted. Thankfully, with the above command procedure, there is no need to ever disable FileVault in order to remove temporary passwords used for disk setup purposes.
Hope this helps.
It seems that there's a similar problem and solution here you have to disable FileVault on your main partition, which is named "Macintosh HD" by default, and reboot afterwards. When the boot process has picked up your user name and picture, you can re-enable FileVault again. Did you tried?
– Hastur – 2015-05-01T17:35:47.530Well, of course disabling and re-enabling FileVault would fix it, as that's the source of the problem; but I wanted to achieve this without increasing insecurity. The reason why this volume is encrypted is because I encrypted before installing and copying the data to avoid having data unencrypted at any point. We ended up turning it off and on again. I bet it is possible, but I can't find how. – pupeno – 2015-05-02T11:30:51.310
Following Soliton on this site Jul 25, 2012 8:43 PM he said repaired disk permissions with Disk Utility, re-downloaded and re-installed [Java manually from Apple's web site] (http://support.apple.com/kb/DL1515) and re-selected my user login photo and re-typed my user name (for good measure). After rebooting, everything is back to normal. Just Tried this approach? It seems [interesting this too] (http://apple.stackexchange.com/questions/61090/what-does-update-needed-mean-when-attempting-to-boot-from-an-encrypted-backu)
– Hastur – 2015-05-02T15:26:53.290Try to reset password. In the same post InsuranceITGuy at Sep 6, 2013 10:58 AM say how to change the password, via
– Hastur – 2015-05-02T15:32:54.990diskutil cs list
and afterdiskutil cs changeVolumePassphrase <UUID>
. Maybe can be a good approach too.