Setting a custom FileVault (macOS FDE) passphrase

Disk password

FileVault 2 is the full-disk encryption system of macOS. Normally, it's turned on from System Preferences, and locks the disk with the passwords of all the users allowed to unlock the machine.

Overloading the login/unlock/sudo password is an understandable UX simplicity choice, but makes it very hard to manage the security tradeoff: you want an easy to type password for login (which can't be bruteforced offline), but you want a complex long passphrase for FDE.

Security & Privacy tab

There is no documented way of setting different passwords for the disk encryption and the OS user. However, support for it is present in the firmware.

How FileVault 2 works and boots

macOS can do a lot of things before booting the main system. If you boot pressing ⌘-R, for example, it will boot into a recovery mode capable of reinstalling the system.

How it does that is with an EFI firmware, and the support of a couple hidden partitions, one of them called Recovery HD. This is the system that decrypts the main partition and then boots from it when you have FDE enabled.

So the default FileVault 2 FDE setup involves a unencrypted hidden Recovery HD, and an encrypted container partition, with your actual partitions inside. The FileVault 2 encryption is controlled by the resident OS and unlockable by a set of username/password accounts.

FileVault 2 can also be used to encrypt external drives. In that case there is no Recovery HD, and there is a single encrypted partition, which can be unlocked not by username/password pairs, but by plain disk passwords.

Setting a custom passphrase

What we want is a mix of the external drive encryption with its custom passphrase and the Recovery HD boot process. Getting there is not easy, but once we do the firmware just happily asks for our "Disk Password", unlocks the disk, and continues booting.

Here are the two easiest ways I found.

Fresh install

If you are installing a new machine and don't care about wiping the entire thing, it's fairly easy.

First, boot into recovery mode by pressing ⌘-R while starting the machine, and select Disk Utility.

Erase

Then, select the Macintosh HD partition (not the whole drive, you don't want to kill the Recovery HD and make the installer shrink your partition to make a new one) and click Erase. Choose "Mac OS Extended (Journaled, Encrypted)" and select your FDE passphrase.

Exit Disk Utility, connect to Wi-Fi, and (re)install macOS on the Macintosh HD partition.

Existing unencrypted macOS

This is a little trickier, and I wouldn't do this without a backup.

You first need to boot from an external drive. The easiest way to do this is by using Carbon Copy Cloner to make a bootable drive. CCC is also excellent to manage the Recovery HD partition if you end up nuking it.

Boot pressing option to select the boot disk.

Once booted into an external drive, open Finder, right click on the Macintosh HD disk in the sidebar and select Encrypt.

Don't forget to securely wipe the external drive.

Existing encrypted macOS

This is the hardest. (Really make a backup.) You have two options: either unencrypt and follow the instructions above, or wipe the drive and use Carbon Copy Cloner.

If you choose the latter, then:

  • use CCC to make a bootable copy of your system on an external drive
  • boot into the external drive
  • use Disk Utility to Erase the target drive, making a single "Mac OS Extended (Journaled)" partition
  • use CCC to create a Recovery HD on the target drive
    (Sidebar > Volumes > Recovery HD...)
  • use Finder to Encrypt the target drive
  • use CCC to restore your system from the external drive to the target drive
  • don't forget to securely wipe the external drive

Note: Carbon Copy Cloner has opinions about how you should enable FileVault 2, ignore them, because it wants you to get the nicely integrated user/password experience that we are trying to avoid :)

Finally, you might want to follow me on Twitter.