For a FileVault user of Mountain Lion: can I avoid the automated login, which normally follows unlock of the encrypted startup volume?

macos filevault boot login user-account

Solution 1:

Encrypt the startup volume with Core Storage without FileVault

Two days after I added this answer, Apple published a technical white paper: Best Practices for Deploying FileVault 2 – Deploying OS X Full Disk Encryption Technology (PDF). At a glance, some of what I describe below seems to be described by Apple as:

  • Disk Password—based DEK.

Preparation

  1. Backup
  2. start Recovery OS
  3. use Disk Utility to erase the startup volume – Mac OS Extended (Journaled, Encrypted)
  4. restore
  5. give the passphrase for the volume to AdminGuy.

Hint

At step 4 above, use a method that preserves the Apple_Boot slice (sometimes named Boot OS X, sometimes named Recovery HD) whilst restoring the JHFS+ startup volume.

To validate this answer, I used Disk Utility for that step. (I'm less familiar with restoration capabilities of Time Machine.)

The resulting EfiLoginUI:

Disk Password option at EfiLoginUI

As Disk Password has an avatar/icon, it's clear that Apple considers scenarios such as this.

Normal use thereafter

  1. Alongside named users, EfiLoginUI presents Disk Password
  2. AdminGuy can select Disk Password
  3. AdminGuy can enter the passphrase to unlock the CoreStorage-protected startup volume
  4. when loginwindow appears, select the required user.

Users may change their login passwords. The phrase for Disk Password will remain unchanged.

You need not use the FileVault areas of System Preferences but if you do, most things work as expected.

The machine pictured above is perfectly clean, restored from a Mountain Lion template that I created following installation of the OS (at the Welcome screen I shut down, then used Disk Utility to image all partitions/slices of the disk). I proceeded to create a user, then enabled that user for FileVault:

Screenshot: some users are not able to unlock the disk. Screenshot: the OS presents a tick against the one and only user Screenshot: after clicking 'Done', all users are able to unlock the disk

The resulting EfiLoginUI – one named user alongside the Disk Password option:

A named user and the Disk Password option at EfiLoginUI

Appearance bug

System Preferences in Build 12A269 of OS X 10.8 may state that FileVault is enabled, with a recovery key set, when the key is no longer applicable. (Assume that an erased volume, with a possibly different passphrase, will not accept a recovery key that was set before erasure. A more definite opinion may be drawn from Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption (2012).) I have reported bugs to Apple.

Photographs above are of the USB flash drive that I used to validate this answer.

Photographs below are of the internal drive that I use every day.

EfiLoginUI – two named users enabled for FileVault, the Disk Password option, and the Guest User:

my everyday EfiLoginUI

loginwindow – all named users:

my everyday loginwindow

Related

Can these 10 steps for creating a podcast episode be automated?
iCal: How do I add new event types with new colors?
What license is needed to use Apple hardware in a movie?
How to securely erase/format an iPhone for resale?
Disable Trash on a specific drive
Can I download Mountain Lion and install it later?
How can I modify an existing FAT partition without losing its data?
Import Google Reader subscriptions into Flipboard
How to backUp an iPhone with a black/blank screen?
How can I automaticly move every file on desktop to specific folder based on extension?
Terminal: Application Not Responding
Change the font size of Safari's Web Inspector