Posted on 10-06-2015 09:19 PM
Hey there,
Current Config
Machine has FV2 profile pushed to it to "Require user to unlock FileVault 2 after hibernation." This is configured in Configuration Profiles>Security & Privacy>FileVault.
Essentially what this does is modify destroyfvkeyonstandby to have a value of 1. Check out this Man Page for background on this.
Observed Behavior
When a user logs into their machine after a restart they get the EFI login screen and they are automatically logged into their user account.
When a user awakens their machine from sleep it takes a few seconds and then they are presented with the EFI login screen. Then, they must login at the regular Login screen.
Confusion
Why does autologin not work when awakening from sleep?
Tests
1. I've tested altering DisableFDEAutoLogin. If it is set to YES then the user must login to the EFI and normal Login after every reboot and awakening from sleep. Not helpful.
2. I've tested manually changing destroyfvkeyonstandby to 0 and the login issues goes away...but so does encryption while hibernating.
Any thoughts??
Posted on 10-07-2015 06:21 AM
As I understand it, the destroyfvkeyonstandby setting doesn't allow the FileVault encryption key to be stored in RAM for any sleep/standby/hibernation event, causing the user to have to unlock the drive, then login to their account. It's function by design, where the key is never stored in RAM, preventing malicious code from retrieving the unlock key.
Posted on 10-07-2015 08:41 AM
@cdev - right, I get that. But how is coming out of hibernation different than starting the computer from a powered off state?
Posted on 10-07-2015 09:53 AM
With hibernation, the computer still powers-off, but before hibernation, the current RAM state is written to disk. When awoken it restores the contents of RAM, which includes the FV2 unlock key if not destroyed. With the key destroyed, an authorized FV user will need to unlock the disk, then authenticate the user session (assuming this is required as well).
Posted on 10-07-2015 10:02 AM
Right...but when a computer is started from a powered off state it must do those things as well. Why would the user need to manually authenticate the user session when coming back from hibernation, but not when turning on from a powered off state?
Your part about "authenticate the user session (assuming this is required as well)" is my main question. It is not required in any setting that I can find but the user must authenticate the user session no matter what.
Posted on 10-07-2015 11:19 AM
At boot, there is an option to pass the user's credentials through from the EFI preboot/unlock screen. If you wish to enable/disable this feature, you can see the code on Apple's Support site.
Otherwise, for an existing user session if the FV Key isn't destroyed, they are only prompted to resume their existing session, which is controlled by the Security & Privacy system preference (General tab > Require password after sleep or screensaver begins).
If the key is destroyed and they are required to authenticate the session, they have to enter their password twice. As I said, destroying the key is a security thing, since it is possible to retrieve the unlock key from RAM for creative hackers...