How user's name can be displayed before disk is decrypted, when FileVault is turned on?
Solution 1:
In older pre T2 macs the disk is not fully encrypted and the users name is stored in an unencrypted volume called Preboot. This volume is readable by the firmware which calls boot.efi within it. This displays the unlock screen and once the password is entered unlocks the OS volume and the OS loads.
The term Full disk encryption is generally used to describe something other than File level encryption rather than implying that there is nothing unencrypted on the disk. Probably Full volume encryption would be clearer.
This is much the same as Windows Bitlocker or Linux LUKS encryption except they tend to simply demand a valid password/key/fingerprint etc to unlock etc without storing the username outside the encrypted volume.
In T2 macs the structure is the same but the whole disk is encrypted so Preboot is not accessible until the disk is unlocked by the T2 chip.
Mac computers that have the Apple T2 Security Chip integrate security into both software and hardware to provide encrypted-storage capabilities. Data on the built-in, solid-state drive (SSD) is encrypted using a hardware-accelerated AES engine built into the T2 chip. This encryption is performed with 256-bit keys tied to a unique identifier within the T2 chip
There are various unencrypted locations on the pre T2 startup disk. First of all the EFI partition is not encrypted. This partition may contain nothing or may contain firmware updates in a directory EFI/APPLE. This is not private or unique data. It may also contain bootloaders for Windows or other OSs, if you have installed them, as they also need an unencrypted partition to boot from.
Next not all the volumes in the partition which holds the APFS container containing macOS are encrypted. In Mojave it looks like this (Catalina has an extra encrypted volume Macintosh HD - Data).
#: TYPE NAME SIZE IDENTIFIER
0: APFS Container Scheme - +21.5 GB disk1
Physical Store disk0s8
1: APFS Volume Macintosh HD 17.0 GB disk1s1
2: APFS Volume Preboot 27.6 MB disk1s2
3: APFS Volume Recovery 510.5 MB disk1s3
4: APFS Volume VM 20.5 KB disk1s4
-
Recoveryis not encrypted (you can get into recovery without unlocking) but doesn't appear to contain unique data. -
Prebootis not encrypted (so the system can find the bootloaderboot.efi, display users, wallpapers etc) before unlocking the OS volume. It has at least some data that is not generic.
You can mount Preboot and have a look what it contains. Taking the Mojave example from above...
sudo mkdir /Volumes/Preboot
sudo mount -t APFS /dev/disk1s2 /Volumes/Preboot
Inside you'll find one directory named with the GUID returned from diskutil info disk1s1|grep 'Volume UUID'.
You can then drill down into this directory - there is the bootloader boot.efi which the firmware calls to start macOS and lots of (to judge by their names) efi resource files which contain fonts, graphics resources, etc. For example:
[admin@macOS] / $ls /Volumes/Preboot/DD3856E8-5866-4F7E-8DDC-692FB7EB1C9F/usr/standalone/i386/EfiLoginUI
Lucida13.efires battery.efires guest_userUI.efires recovery_user.efires
Lucida13White.efires disk_passwordUI.efires loginui.efires sound.efires
appleLogo.efires flag_picker.efires recoveryUI.efires unknown_userUI.efires
What all the things in this volume are isn't particularly clear but you'll find your username in plaintext at least in these files.
.../System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey
</data>
<key>UserFullName</key>
<string>hali</string>
.../var/db/AdminUserRecoveryInfo.plist
<key>RealName</key>
<string>admin</string>
</dict>
</dict>
</plist>
-
.../var/db/CryptoUserInfo.plist- also appears to contain users icon data
FABQAUAFABQAUAFABQAUAFAH/9k=
</data>
<key>PictureFormat</key>
<string>JPEG</string>
<key>ShortName</key>
<string>hali</string>