How user's name can be displayed before disk is decrypted, when FileVault is turned on?

Solution 1:

In older pre T2 macs the disk is not fully encrypted and the users name is stored in an unencrypted volume called Preboot. This volume is readable by the firmware which calls boot.efi within it. This displays the unlock screen and once the password is entered unlocks the OS volume and the OS loads.

The term Full disk encryption is generally used to describe something other than File level encryption rather than implying that there is nothing unencrypted on the disk. Probably Full volume encryption would be clearer.

This is much the same as Windows Bitlocker or Linux LUKS encryption except they tend to simply demand a valid password/key/fingerprint etc to unlock etc without storing the username outside the encrypted volume.

In T2 macs the structure is the same but the whole disk is encrypted so Preboot is not accessible until the disk is unlocked by the T2 chip.

Mac computers that have the Apple T2 Security Chip integrate security into both software and hardware to provide encrypted-storage capabilities. Data on the built-in, solid-state drive (SSD) is encrypted using a hardware-accelerated AES engine built into the T2 chip. This encryption is performed with 256-bit keys tied to a unique identifier within the T2 chip


There are various unencrypted locations on the pre T2 startup disk. First of all the EFI partition is not encrypted. This partition may contain nothing or may contain firmware updates in a directory EFI/APPLE. This is not private or unique data. It may also contain bootloaders for Windows or other OSs, if you have installed them, as they also need an unencrypted partition to boot from.

Next not all the volumes in the partition which holds the APFS container containing macOS are encrypted. In Mojave it looks like this (Catalina has an extra encrypted volume Macintosh HD - Data).

   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +21.5 GB    disk1
                                 Physical Store disk0s8
   1:                APFS Volume Macintosh HD            17.0 GB    disk1s1
   2:                APFS Volume Preboot                 27.6 MB    disk1s2
   3:                APFS Volume Recovery                510.5 MB   disk1s3
   4:                APFS Volume VM                      20.5 KB    disk1s4
  • Recovery is not encrypted (you can get into recovery without unlocking) but doesn't appear to contain unique data.
  • Preboot is not encrypted (so the system can find the bootloader boot.efi, display users, wallpapers etc) before unlocking the OS volume. It has at least some data that is not generic.

You can mount Preboot and have a look what it contains. Taking the Mojave example from above...

sudo mkdir /Volumes/Preboot
sudo mount -t APFS /dev/disk1s2 /Volumes/Preboot

Inside you'll find one directory named with the GUID returned from diskutil info disk1s1|grep 'Volume UUID'.

You can then drill down into this directory - there is the bootloader boot.efi which the firmware calls to start macOS and lots of (to judge by their names) efi resource files which contain fonts, graphics resources, etc. For example:

[admin@macOS] / $ls /Volumes/Preboot/DD3856E8-5866-4F7E-8DDC-692FB7EB1C9F/usr/standalone/i386/EfiLoginUI
Lucida13.efires         battery.efires          guest_userUI.efires     recovery_user.efires
Lucida13White.efires    disk_passwordUI.efires  loginui.efires          sound.efires
appleLogo.efires        flag_picker.efires      recoveryUI.efires       unknown_userUI.efires

What all the things in this volume are isn't particularly clear but you'll find your username in plaintext at least in these files.

  • .../System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey
</data>
            <key>UserFullName</key>
            <string>hali</string>
  • .../var/db/AdminUserRecoveryInfo.plist
        <key>RealName</key>
        <string>admin</string>
    </dict>
</dict>
</plist>
  • .../var/db/CryptoUserInfo.plist - also appears to contain users icon data
        FABQAUAFABQAUAFABQAUAFAH/9k=
        </data>
        <key>PictureFormat</key>
        <string>JPEG</string>
        <key>ShortName</key>
        <string>hali</string>