macOS: Revoking FileVault Access for Individual Accounts

Cyber Security

I create a lot of user accounts on my Mac. That sounds weird, I know, but it’s often a handy step for testing or troubleshooting. And recently I realized that every time I add a new administrator account, it’s allowed by default to unlock my encrypted FileVault volume, which is, er…less than ideal, security-wise. After all, I have been known to create accounts with the username “test” and the password “test.”

Imagine my shock when I rebooted my Mac the other day and saw a user account with a very insecure password being offered as an option for unlocking my disk! I mean, I could take this as a lesson and always use strong passwords for these temporary accounts I create. But where’s the nerdy fun in that?

So what to do? I should be able to revoke new users’ FileVault-unlocking ability, right? Not through normal means, apparently. If you visit System Preferences > Security & Privacy and click on the “FileVault” tab, you’ll note that you can enable users but not disable them.

FileVault's Enable Users Button for allowing all administrator accounts to unlock your encrypted Mac drive
Why, Apple, why?! The mind boggles.

Luckily, I ran across this excellent Der Flounder post, which had the answer I was looking for. As the author, Rich Trouton, points out, what you’ll have to do is open the Terminal program (it lives within your Applications > Utilities folder) and then type in the following:

sudo fdesetup remove -user username

For the “username” part, you’ll want to replace that with, well…the username of the account you’d like to revoke access for. You can see all of your users within System Preferences> Users & Groups in the left-hand list.

You can see which accounts have administrator access in the macOS Users & Groups System Preferences

So if I wanted to prevent my “Ghost” account from being able to unlock my disk, I’d type this into Terminal and press Return:

sudo fdesetup remove -user Ghost

If you’re not familiar with Terminal, know that if you have a username with spaces (like my Mr. Ive above), you can’t just type it in as is. You’ll need to use a backslash to tell Terminal to ignore the upcoming space, like so:

sudo fdesetup remove -user Jony\ Ive

If you put the username in wrong, Terminal will tell you, though. Note that I did it incorrectly the first time here and correctly the second.

Remove User in Terminal using the sudo fdesetup command

Anyway, once you type in that command and press Return, you’ll be asked for your administrator account password to authorize the action. (You won’t be able to see anything changing as you’re typing your password in, but just trust that Terminal is paying attention.) Press Return again when your password is finished, and voilà! That user won’t be able to unlock FileVault anymore, and sweet, sweet nerdy security will be yours. But know that if you’re not logged in as an administrator, you’ll get scolded by Terminal.

Terminal Window with Warning showing non-admin users can't use sudo commands
Oh god, what have I done?!

In that scenario, you could use the su command to escalate your privileges temporarily, but I’d suggest you just go log in with your administrator account to run this command instead. It’s easier and safer. And because I always have to say this, here goes: Be really super-duper careful with what you type in Terminal. Messing stuff up can have unfortunate consequences, so check your work like forty times before you execute commands, OK? And I wouldn’t be me if I didn’t suggest you have several backups in place before you do anything at all, like even opening the lid of your laptop. I’m so predictable.


Thanks go out to Rich Trouton of Der Flounder for being nice enough to let me write this up! Now go read some more of his stuff.

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Oldest Most Voted
Inline Feedbacks
View all comments

Impressive work, your words on clothing speak the truth and we should be heeding on with them, such information is always helpful and can fall under positivity of the society 
pakistani mens wear online


The words of your article speak the reality about the world of clothing and I highly admire your efforts to share this useful information with us.
online clothing stores in pakistan


Impressive work, your words on clothing speak the truth and we should be heeding on with them, such information is always helpful and can fall under positivity of the society

Women’s clothing stores in Karachi


There are millions of mac’s users and I always use Windows but a few weeks back when I come to cheap nursing assignment Help this, the experience is so satisfying. Recently, I am facing an issue that I want to create affordable cipd assignments by acemyassignment more than one account but yet not succeded.


There are around 2 billion websites in the world today and thousands being created on a daily basis. This shows how important they have become in the age of digitization. However, its all about how effective they are for your business which is why you need a custom website design so you can stand out and compete in your industry.


Ohh, great. Thank you for sharing. I am really in need of this information
.io games


Press go back again when your password is completed, and voilà! That user received’t be able to unlock Custom Assignment Writing Service anymore, and sweet, candy nerdy protection might be yours. however recognise that in case you’re no longer logged in as an administrator, you’ll get scolded

Graham McKay

Nice to know the function exists and possibly I’ll never need to use that command (I’m more likely to just delete a “test” user) but I think this is another of those cases where somebody at Apple has decided to not include a function in the GUI so as to protect the “innocent” – without thought for the “experienced” amongst us.