Home > FileVault 2, Mac administration, Mac OS X > Standard user accounts in OS X 10.8.4 now blocked from decrypting FileVault 2-encrypted Macs

Standard user accounts in OS X 10.8.4 now blocked from decrypting FileVault 2-encrypted Macs

June 7, 2013 Leave a comment Go to comments

One of the changes noted in Apple’s security notes about 10.8.4 and Security Update 2013-002 was this section:

Disk Management

Available for: OS X Mountain Lion v10.8 to v10.8.3

Impact: A local user may disable FileVault

Description: A local user who is not an administrator may disable FileVault using the command-line. This issue was addressed by adding additional authentication.

CVE-ID

CVE-2013-0985

Screen Shot 2013-06-07 at 3.45.54 PM

In short, this helps address an issue that has vexed various Mac admins since 10.7.0: If you have a FileVault 2-enabled account, you can decrypt the encryption from the command line using your account’s password.

With 10.8.4, the command-line diskutil tool has now been updated to request an administrator’s login and password before allowing decryption to proceed.

Administrators are also prompted, but can supply their account’s username and password to start the decryption process.

Categories: FileVault 2, Mac administration, Mac OS X
  1. No comments yet.
  1. No trackbacks yet.

Leave a comment