What is APFS "Disk User" and how to add multiple crypto users via diskutil?
Solution 1:
Short version:
-
The disk "user" is the equivalent of having only a single password for decrypting the disk.
-
You can add additional users for the boot volume using the
fdesetup add
command. (seefdesetup help
for details) -
You can add or change the recovery key after the fact using
fdesetup changerecovery
-
You can remove users later using
fdesetup remove
and you can also remove the recovery key withfdesetup removerecovery
I don't yet know how to add or remove users/keys to encrypted apfs disks that are not the boot volume.
Long Version:
The convention of having multiple cryptographic users on a disk was done primarily to facilitate FileVault boot disks. Because of this convention, the concept of a disk "user" was created to allow disks to be encrypted with a single encryption key for non-boot disks.
The disk "user" is what would be created if you encrypted a disk using a method other than the "Turn on FileVault" method you described above. This is the equivalent of having a disk encrypted by a single password, instead of having multiple users able to decrypt the disk with their own passwords.
Having multiple users able to decrypt a disk is important for a startup disk with FileVault as it allows them to enter their own username and password at boot to decrypt the disk and login. Without it, they would have to know the disk encryption password (the disk "user") and enter that at boot, then login with their own user credentials at the login screen once boot is complete.
This is why FileVault automatically adds additional encryption keys for users to your boot drive when you enable it (in this case, one for your user and one for the FileVault master recovery key in case a user forgets their password and needs to reset it). But if you are encrypting a non-startup disk, having access for multiple users may not be useful or even desirable. This is why encrypting the disk from the CLI only creates the disk "user". (I believe this is also the case when encrypting using the Disk Utility app or from the Finder).
You can, of course, encrypt a boot disk with only a single disk "user" and no other cryptographic users or recovery keys. You will be presented with a password prompt at boot and it will display a disk icon instead of a user icon, and you will have to enter the disk encryption password instead of your user password. Any users on the machine who do not know this password will be unable to decrypt the disk and login to the machine.
Edit: Just want to add the following:
Note that the disk "user" will only be added to the list of cryptographic users when you first encrypt the disk using the cli (diskutil apfs
) or via Finder or Disk Utility. The disk user will not be added if you enable FileVault in the System Preferences, and it cannot later be added to a disk that already has cryptographic users.
Also of note, the disk user will always have the UUID of the disk itself.