PDA

View Full Version : Some encrypted backups display username as [Update Needed] when booting


wildthing
05-01-2015, 07:53 PM
I started using FileVault 2 to encrypt the disks that I'm backing up to. Usually this works fine and I can boot from the backups, even though they're encrypted. There is a pre-boot login screen just like there is when I boot from the original system drive.

However sometimes when I try to boot from the backup disk, the pre-boot login screen contains a weird-looking option to log in as a user called "[Update Needed]" or "Guest User" - and all the other OS X account usernames from my original system drive are missing.

Any idea why this is?

dnanian
05-01-2015, 09:58 PM
It's because it's encrypted. Try booting from it normally, then reinstall the OS to recreate a recovery volume on the backup. That should (hopefully) resolve the issue.

wildthing
05-02-2015, 01:54 PM
OK but now I'm puzzled why some of my encrypted backups have this problem and some don't. I thought I followed the same process to create all of them.

Here's what I did: I used Disk Utility to erase and format the drive as "Mac OS Extended (Journaled, Encrypted)", and set an encryption passphrase. The passphrase is random and different for each drive (which is generated by and stored separately in my credential vault application).

Then I used SuperDuper to (initially) Erase then Copy; and used Smart Update the drive. The SuperDuper Erase always seems to preserve the encryption (along with passphrase) that I previously set up in Disk Utility.

When I reboot the drives that work, I am first prompted for the FileVault passphrase, and following this, it boots into the normal login screen with all the users there.

But maybe I'm remembering wrongly, and I in fact followed some different steps to create the encrypted drives that boot correctly.

Another change I've made recently is that I've now encrypted my main system drive as well. I understand that this changes the way OS X boots up, so I now get a pre-boot login screen rather than a post-boot login screen, and it uses the passwords of the OS X users to decrypt the drive before completing the boot process. But I'm sure that post-encrypting my system drive, I've followed the above steps to create a bootable backup and it's still worked as described.

Also in your reply you said "reinstall the OS to recreate a recovery volume on the backup". I don't understand what this means. If I re-install the OS won't that overwrite the backup?

Maybe what I need is step-by-step guide to creating a FileVault-encrypted backup the right way, assuming the original system drive is also FileVault-encrypted, which explains the whole process from beginning to end.

dnanian
05-02-2015, 02:08 PM
In general, you should format the backup as encrypted, then Smart Update to it. I'd then boot from it (you should be able to if you use the startup disk preference pane), and reinstall the OS on it from the App Store, which will create a recovery volume on the backup.

It should work fine...

wildthing
05-02-2015, 02:14 PM
OK, but I'm sure it's worked on at least one occasion without the last step being necessary.

Perhaps I should clarify: the desired behaviour is that for my system drive, I can boot it using my OS X usernames and passwords, because although the OS X user passwords are weaker, that is compensated by the fact that the computer is in a more secure location.

The backups, on the other hand, are taken off site and transported to and via less secure locations, hence the desired behaviour is that when I boot them up, I am first prompted for the super strong, long, randomized FileVault passphrase that I originally set in Disk Utility (I retrieve this from my credential vault application which is synced to all my devices and various other places). Only after I successfully provide the FileVault passphrase should I see the OS X login screen.

This desired behaviour has actually been working successfully - even *since* I enabled FileVault on my system drive. But it's only worked on some, not all, of my backups.

If the outcome of the steps you suggest are that the backup becomes bootable with the (weaker) OS X usernames and passwords, then this is not what I want.

Sorry for not making this clear earlier. Since I enabled FileVault on my system drive, I hadn't really thought through how I expected this to affect my backups.

dnanian
05-02-2015, 04:02 PM
No, it won't become weaker. The point is to try to get the Recovery volume (which is sometimes necessary to boot from Filevault volumes) onto the backup drive.

wildthing
05-02-2015, 05:12 PM
Not sure if you understood my previous post.

My OS X user account passwords are ALREADY much weaker than the FileVault passphrases I use to initially encrypt the external drives in Disk Utility that I'm subsequently backing up to (deliberately so, because I want a much higher level of protection for the backup drives that I take off-site, whereas my Mac which never leaves my home so convenience trumps security).

That's why I want to continue seeing the FileVault decryption passphrase prompt FIRST when I boot the backup, BEFORE I see any OS X user login screen.

However when the "[Update Needed]" prompt appears, it is part of an OS X user login screen - and unless I'm very much mistaken, it appears first and there is NO FileVault decryption passphrase prompt.

It's not clear from your reply whether you understood this point, and the steps you're suggesting will restore the drive to a state where booting up yields the FileVault decryption prompt FOLLOWED BY the OS X user login screen (the desired behaviour), or whether the steps you're suggesting will put the drive into a state where the backup drive works the same as the system drive, in the sense that the (deliberately weaker) OS X user passwords are all that's needed to boot up (which is not the desired behaviour).

dnanian
05-02-2015, 05:29 PM
I don't know if it will do that. Sorry - my suggestion would be to use a stronger passphrase as your password.

wildthing
05-03-2015, 07:14 PM
I don't know if it will do that.

From my experience it DOES do that - but only on some of my drives, not others.

That is, some of my drives exhibit the desired behaviour (boot first into the FileVault unlock prompt, followed by the OS X login screen), while others go straight to the OS X login screen with "[Update Needed]".

Why this happens I'm still trying to figure out. I'll do some further investigation and report back.

my suggestion would be to use a stronger passphrase as your password.

This is not an option since my Mac is used by multiple users, and I've already maxed out on the password complexity that the other users are willing/capable to accept.

The reality is that OS X passwords that are used multiple times a day - including every time you switch users - can NEVER realistically be as strong as the kind of passphrases you can consider using for FileVault-encrypting a drive that is used only for backup.

This is because the latter only need to be used in a backup test or restore scenario - so they can be ultra-strong, long, randomly-generated passphrases such as "%JHgTil#=qH1j.d6.Ak8t`3C" - which you can store in your credential vault and forget about. Believe me, you wouldn't want to type these in every day!

If your backup drives are taken outside your home, transported, and stored in various locations, I think it is quite a legitimate requirement (for some users) that the backup drives are only decryptable with a very strong passphrase, and NOT with the (necessarily weaker) OS X passwords.

dnanian
05-04-2015, 06:45 AM
OK - if it does do that, then I'd suggest trying what I said. If you can set the source to prompt the way you want, the destination will too: but I'd create the recovery volume as well, as I indicated in the previous reply.

wildthing
05-07-2015, 07:41 PM
If you can set the source to prompt the way you want, the destination will too

Just to be clear, I am not trying to get the destination and source to prompt the same way.

The source (system drive) was set up to use FileVault in the normal way, by going to System Preferences > Security & Privacy > FileVault > Turn On FileVault. This means it can be booted up using the password of any of the OS X accounts alone. This is perfectly acceptable to me since the Mac does not leave my house (in fact it's a requirement, because the Mac may need rebooting at any time by another user when I'm not there).

However, the destination (backup drive) is set up a different way: by going to Disk Utility > Erase > Format: Mac OS Extended (Journaled, Encrypted) > Erase, entering a super-strong, random passphrase, and then using SuperDuper to clone using "Erase then Copy" (although subsequent backups can use Smart Update).

Following this, I want the backup drive to require the super-strong, random passphrase in order boot up - before it prompts for any OS X account logins - whereas the system drive should only requires the OS X account logins.

So, I am actually trying to get the destination and source to prompt differently. And it makes sense that they do prompt differently, because they were set up differently.

However I have just made a discovery!

I just tried re-building a backup drive from scratch, exactly as described above, and then I tried booting from it. As before, it booted first to an OS X login screen with just 2 users, one called "[Update Needed]" and the other "Guest".

However, this time I tried selecting the "[Update Needed]" user, and then entering the super-strong, random passphrase that I'd originally used to encrypt the drive in Disk Utility, and it worked! More specifically, a progress bar appeared for quite a while (presumably that's when it was decrypting the drive), and then a spontaneous reboot, then I selected "[Update Needed]" again and then entering the super-strong, random passphrase a second time, and then a different OS X login screen appeared, this time with all my usual OS X accounts - and I was finally able to login to OS X on the backup drive normally.

Based on this experience, it seems to me that the "[Update Needed]" is just OS X's way of saying, I have boot drive encrypted with a password that is not associated with any username, so I'll prompt for it, but I don't know the username so I'll display it as "[Update Needed]". The reason the password is not associated with any username is because it's the one I typed in to Disk Utility to format the partition.

I still don't know why (I think) some of my drives had the "Enter a password to unlock the disk ... [Unlock / Cancel]" prompt instead.

But now I think that OS X login screen with the "[Update Needed]" user is actually achieving exactly the same thing as the "Enter a password to unlock the disk ... [Unlock / Cancel]" prompt, just in a different way.

So now I'm happy that it is basically behaving as I want.

dnanian
05-07-2015, 07:48 PM
I don't know why either, but I'm glad it worked for you!