For a FileVault user of Mountain Lion: can I avoid the automated login, which normally follows unlock of the encrypted startup volume?
Solution 1:
Encrypt the startup volume with Core Storage without FileVault
Two days after I added this answer, Apple published a technical white paper: Best Practices for Deploying FileVault 2 – Deploying OS X Full Disk Encryption Technology (PDF). At a glance, some of what I describe below seems to be described by Apple as:
- Disk Password—based DEK.
Preparation
- Backup
- start Recovery OS
- use Disk Utility to erase the startup volume – Mac OS Extended (Journaled, Encrypted)
- restore
- give the passphrase for the volume to AdminGuy.
Hint
At step 4 above, use a method that preserves the Apple_Boot slice (sometimes named Boot OS X, sometimes named Recovery HD) whilst restoring the JHFS+ startup volume.
To validate this answer, I used Disk Utility for that step. (I'm less familiar with restoration capabilities of Time Machine.)
The resulting EfiLoginUI:
As Disk Password has an avatar/icon, it's clear that Apple considers scenarios such as this.
Normal use thereafter
- Alongside named users, EfiLoginUI presents Disk Password
- AdminGuy can select Disk Password
- AdminGuy can enter the passphrase to unlock the CoreStorage-protected startup volume
- when loginwindow appears, select the required user.
Users may change their login passwords. The phrase for Disk Password will remain unchanged.
You need not use the FileVault areas of System Preferences but if you do, most things work as expected.
The machine pictured above is perfectly clean, restored from a Mountain Lion template that I created following installation of the OS (at the Welcome screen I shut down, then used Disk Utility to image all partitions/slices of the disk). I proceeded to create a user, then enabled that user for FileVault:
The resulting EfiLoginUI – one named user alongside the Disk Password option:
Appearance bug
System Preferences in Build 12A269 of OS X 10.8 may state that FileVault is enabled, with a recovery key set, when the key is no longer applicable. (Assume that an erased volume, with a possibly different passphrase, will not accept a recovery key that was set before erasure. A more definite opinion may be drawn from Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption (2012).) I have reported bugs to Apple.
Photographs above are of the USB flash drive that I used to validate this answer.
Photographs below are of the internal drive that I use every day.
EfiLoginUI – two named users enabled for FileVault, the Disk Password option, and the Guest User:
loginwindow – all named users: