Filevault 2 and password?

makander
Contributor

I'm currently testing out FileVault 2 on one of my test machines and so far it's pretty straight forward.

But there's something I can't understand or get my head around. When I use the private recovery key to unlock a drive it prompts me to create a new password for the account I want to login with. I get that, because I've forgotten my old password so I should create a new one. That makes sense.

But it doesn't seem to matter what password I type into it as it just shruggs it off.

The computer is connected to our AD and I've tried several different password, it doesn't matter.
It works fine though on the local admin account but not on the network account.
If I use the old password I get in. Weird.

Any thoughts regarding this?

1 ACCEPTED SOLUTION

MikeF
Contributor II

I have noticed the same thing on my accounts. What we figured out is if it is a mobile account it will not change the password. cancel the password change and the log in as the user when it goes back to user name and password. Then you will get a prompt for the keychain login password being wrong. Tell it to update and it will update the password. It does have to be on network for this.

Seems that this password change only works on a local account.

View solution in original post

6 REPLIES 6

MikeF
Contributor II

I have noticed the same thing on my accounts. What we figured out is if it is a mobile account it will not change the password. cancel the password change and the log in as the user when it goes back to user name and password. Then you will get a prompt for the keychain login password being wrong. Tell it to update and it will update the password. It does have to be on network for this.

Seems that this password change only works on a local account.

makander
Contributor

Yeah, it seems like it. But the whole reason for resetting the password and using the recovery key might be because the user has forgot it. Then we have to restore the users password as well, kind of a complicated situation.

icemobile
New Contributor II

i'd go for a institutional key. decrypt drive first and see about the user account later.

MikeF
Contributor II

Yes this is a pain. My security won't let us put on a inst. Key. Right now because of their requirements the laptop needs to come back to the office. We are looking into putting a local account on to at least get logged in. Then we can remote to the machine and get the user working. But then we have to maintain a local account for this and keep changing passwords.

gachowski
Valued Contributor II

Nils,

I see exactly the same behavior, and at 1st I was worried, but after a few months of thinking about it. It has started to make sense. We can't change the password from the system pref either., The recovery key just unlocks the encryption. I think with AD accounts, you can't change the password locally, or at least dependent on AD rules?

But with the "normal" consumer user after the recover the key from iTools : ) And then they should be promoted to change.

And I guess adding the logic before the log in window AD VS. Local might have been tricky to due, I think that Apple has to extra conservative/with security now that they are in the FDE business. : )

Also, This is Apple 1st "try" at FDE so it's going to take few years for them to get it all together. Kinda have hopes for more FileVault features in X.9.

C

makander
Contributor

Thanks for all the replies. I'm going to have to try to figure out some kind of best practice for using FV2.

I wish it could sync with the AD. But maybe it'll come later.