Skip to content

The Eclectic Light Company

Macs, painting, and more
Main navigation
  • Downloads
  • M1 & M2 Macs
  • Mac Problems
  • Mac articles
  • Art
  • Macs
  • Painting
hoakley April 25, 2018 Macs, Technology

APFS encryption, ghost guest users, and odd UUIDs

If you’re using APFS encryption, you might have stumbled across some odd user names when asked to enter your password to unlock a disk – like FFFFEEEE-DDDD-CCCC-BBBB-AAAA000000C9.

guestuuid01

One way of running into this is to make a bootable clone of your APFS encrypted boot volume to an external SSD, then start up from that clone. When you’re invited to enter your password to unlock the internal disk, you may well find odd additional users listed, as well as yourself.

You may be able to replicate this by installing macOS 10.13.4 onto an external drive, ensuring that Guest access is enabled, then turning APFS encryption on. When you connect that external drive to a running High Sierra system, you’ll be prompted to unlock the disk, and may well see similar spurious users listed there as well.

If you use encryption because you have sensitive data on your Mac’s storage, this could appear quite alarming. Has someone hacked into your drive already, or is this another security vulnerability in High Sierra?

The answer is that there is nothing wrong with this behaviour, a guest user can’t unlock your encrypted volume, and it isn’t a vulnerability, or even a bug. I don’t think that High Sierra should be doing it, but when it does, there is no cause for alarm.

guestuuid02

To understand what is happening here, you need to know how High Sierra manages encrypted volumes and their access. When you create an APFS volume (encrypted or not), macOS associates it with a list of users, each of whom is known by a GeneratedUID, not a UUID. Although ‘real’ users have GeneratedUIDs which appear similar to real UUIDs and are effectively unique, users added by macOS like the Apple Events User and Guest are assigned standard ones which start with the sequence
FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000
Guest user accounts are normally assigned a GeneratedUID of
FFFFEEEE-DDDD-CCCC-BBBB-AAAA000000C9
If you want to look these up, open Directory Utility (in /System/Library/CoreServices/Applications), select the Directory Editor, and view Users.

guestuuid03

If you are already logged on as a user, when you connect an encrypted external volume, macOS checks that you are in the list of users for that volume and invites you to unlock it. If the volume is bootable, macOS may offer you a list of known users, according to GeneratedUIDs. With a guest user enabled, that list may well contain that guest user.

This may be confounded by what some of us have considered bad practice in macOS: when you first configure macOS on a brand new Mac, or install it onto a freshly erased volume, the Guest user is usually but not always enabled by default. Disabling that Guest user is one of the first things that I do whenever I get a new Mac, and it worries me that many users don’t know that they should do that. Apple should set the default as the Guest user disabled, for its improved security.

When macOS is configured with the Guest user enabled (often by default), the Guest user account will be created, and assigned its special GeneratedUID. Even though you may then disable guest access, Guest User may be left in its list of users. So it may be carried over into the list of users for an encrypted volume long after the account was disabled.

This doesn’t mean that a guest user, active or ghost, can unlock an encrypted volume, though. When macOS High Sierra starts up from an encrypted startup volume, it can’t do so from the encrypted volume, so starts up from the Recovery volume instead, launching the unlock dialog. If a guest user tries to unlock the encrypted volume to continue starting up from it, macOS will deny them access, leaving them with just the Recovery volume to play with, and the real startup volume will remain encrypted and unmounted as a result. High Sierra has a Secure Token system to ensure that a guest can’t go any further.

If you use APFS encryption, you can view the list of known users by entering the Terminal command
sudo fdesetup list
and authenticating. You’ll see a list like
hoakley,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
where the latter entry is that user’s GeneratedUID. If that list includes any Guest account, it should appear as
guest,FFFFEEEE-DDDD-CCCC-BBBB-AAAA000000C9

If it bothers you, you can remove the Guest account using
sudo fdesetup remove -user guest
or by GeneratedUID as
sudo fdesetup remove -uuid FFFFEEEE-DDDD-CCCC-BBBB-AAAA000000C9
although you should be able to rely on the Secure Token system to ensure that your guests don’t get out of control.

You may also be able to list users with a command like
diskutil apfs listcryptousers /dev/disk1s4
where disk1s4 is the encrypted volume. However, in my case all I was able to elicit from that was a list of encrypted volumes with their UUIDs, such as
Cryptographic user for disk1s4 (1 found)
|
+-- XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Type: Disk User
Hint: C

where XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX is the UUID of the encrypted volume, not its user(s).

To learn more about fdesetup, study Rich Trouton’s superb presentation about it. Although I have looked for documentation from Apple about these issues, you may be unsurprised to learn that my search drew a complete blank.

I am very grateful to Sebastian for asking me what turned out to be such a fascinating question, for providing all the clues needed to work out what was going on, and for letting me use his screenshot.

Share this:

  • Twitter
  • Facebook
  • Reddit
  • Pinterest
  • Email
  • Print

Like this:

Like Loading...

Related

Posted in Macs, Technology and tagged APFS, encryption, FileVault, guest, guest account, High Sierra, macOS 10.13, security, UUID. Bookmark the permalink.

2Comments

Add yours
  1. 1
    Sebastian on April 25, 2018 at 11:46 am

    Thank you, Howard, for laying this out so clearly. I don’t know how many Mac users actually work with cloned drives or other external installations of macOS, but for those who do, this strange appearance in the disk unlocking dialog is certainly a proper scare—especially if you KNOW you only have one user account. As much as I was relieved to learn there is no underlying security risk here, Apple should still be blamed for a confusing and inconsistent UI, and for lack of any documentation.

    Other readers who are interested in Apple’s Secure Token system will find further information in another article on Rich Trouton’s blog:

    https://derflounder.wordpress.com/2018/01/20/secure-token-and-filevault-on-apple-file-system/

    And also here, which details how to enable/disable Secure Token for a particular user:

    https://babodee.wordpress.com/2017/10/05/sysadminctl-changes-in-10-13/

    Importantly, Secure Token is categorically required for a user to be able to unlock an encrypted APFS volume—disable it, and the user cannot access the volume, Guest, ghost, or otherwise. And while High Sierra (questionably) assigns a Secure Token to the Guest user when it is enabled through System Preferences on unencrypted APFS volumes, the saving grace is that it revokes that Secure Token (for the Guest user) once FileVault is enabled. So the issue remains as a usability hurdle, but encrypted APFS volumes remain secure against unauthorized access.

    LikeLiked by 1 person

  2. 2
    Michael Tsai - Blog - Apple File System Reference on September 21, 2018 at 10:39 pm

    […] also: APFS encryption, ghost guest users, and odd UUIDs, What APFS Does for You, and What You Can Do with […]

    LikeLike

·Comments are closed.

Quick Links

  • Downloads
  • Mac Troubleshooting Summary
  • M1 & M2 Macs
  • Mac problem-solving
  • Painting topics
  • Painting
  • Long Reads

Search

Monthly archives

  • January 2023 (67)
  • December 2022 (74)
  • November 2022 (72)
  • October 2022 (76)
  • September 2022 (72)
  • August 2022 (75)
  • July 2022 (76)
  • June 2022 (73)
  • May 2022 (76)
  • April 2022 (71)
  • March 2022 (77)
  • February 2022 (68)
  • January 2022 (77)
  • December 2021 (75)
  • November 2021 (72)
  • October 2021 (75)
  • September 2021 (76)
  • August 2021 (75)
  • July 2021 (75)
  • June 2021 (71)
  • May 2021 (80)
  • April 2021 (79)
  • March 2021 (77)
  • February 2021 (75)
  • January 2021 (75)
  • December 2020 (77)
  • November 2020 (84)
  • October 2020 (81)
  • September 2020 (79)
  • August 2020 (103)
  • July 2020 (81)
  • June 2020 (78)
  • May 2020 (78)
  • April 2020 (81)
  • March 2020 (86)
  • February 2020 (77)
  • January 2020 (86)
  • December 2019 (82)
  • November 2019 (74)
  • October 2019 (89)
  • September 2019 (80)
  • August 2019 (91)
  • July 2019 (95)
  • June 2019 (88)
  • May 2019 (91)
  • April 2019 (79)
  • March 2019 (78)
  • February 2019 (71)
  • January 2019 (69)
  • December 2018 (79)
  • November 2018 (71)
  • October 2018 (78)
  • September 2018 (76)
  • August 2018 (78)
  • July 2018 (76)
  • June 2018 (77)
  • May 2018 (71)
  • April 2018 (67)
  • March 2018 (73)
  • February 2018 (67)
  • January 2018 (83)
  • December 2017 (94)
  • November 2017 (73)
  • October 2017 (86)
  • September 2017 (92)
  • August 2017 (69)
  • July 2017 (81)
  • June 2017 (76)
  • May 2017 (90)
  • April 2017 (76)
  • March 2017 (79)
  • February 2017 (65)
  • January 2017 (76)
  • December 2016 (75)
  • November 2016 (68)
  • October 2016 (76)
  • September 2016 (78)
  • August 2016 (70)
  • July 2016 (74)
  • June 2016 (66)
  • May 2016 (71)
  • April 2016 (67)
  • March 2016 (71)
  • February 2016 (68)
  • January 2016 (90)
  • December 2015 (96)
  • November 2015 (103)
  • October 2015 (119)
  • September 2015 (115)
  • August 2015 (117)
  • July 2015 (117)
  • June 2015 (105)
  • May 2015 (111)
  • April 2015 (119)
  • March 2015 (69)
  • February 2015 (54)
  • January 2015 (39)

Tags

APFS Apple AppleScript Apple silicon backup Big Sur Blake bug Catalina Consolation Console diagnosis Disk Utility Doré El Capitan extended attributes Finder firmware Gatekeeper Gérôme HFS+ High Sierra history of painting iCloud Impressionism iOS landscape LockRattler log logs M1 Mac Mac history macOS macOS 10.12 macOS 10.13 macOS 10.14 macOS 10.15 macOS 11 macOS 12 macOS 13 malware Mojave Monet Monterey Moreau MRT myth narrative OS X Ovid painting Pissarro Poussin privacy realism Renoir riddle Rubens Sargent scripting security Sierra SilentKnight SSD Swift symbolism Time Machine Turner update upgrade Ventura xattr Xcode XProtect

Statistics

  • 13,735,611 hits
Blog at WordPress.com.
Footer navigation
  • About & Contact
  • Macs
  • Painting
  • Language
  • Tech
  • Life
  • General
  • Downloads
  • Mac problem-solving
  • Extended attributes (xattrs)
  • Painting topics
  • Hieronymus Bosch
  • English language
  • LockRattler: 10.12 Sierra
  • LockRattler: 10.13 High Sierra
  • LockRattler: 10.11 El Capitan
  • Updates: El Capitan
  • Updates: Sierra, High Sierra, Mojave, Catalina, Big Sur
  • LockRattler: 10.14 Mojave
  • SilentKnight, silnite, LockRattler, SystHist & Scrub
  • DelightEd & Podofyllin
  • xattred, Metamer, Sandstrip & xattr tools
  • 32-bitCheck & ArchiChect
  • T2M2, Ulbow, Consolation and log utilities
  • Cirrus & Bailiff
  • Taccy, Signet, Precize, Alifix, UTIutility, Sparsity, alisma
  • Revisionist & DeepTools
  • Text Utilities: Nalaprop, Dystextia and others
  • PDF
  • Keychains & Permissions
  • LockRattler: 10.15 Catalina
  • Updates
  • Spundle, Cormorant, Stibium, Dintch, Fintch and cintch
  • Long Reads
  • Mac Troubleshooting Summary
  • LockRattler: 11.0 Big Sur
  • M1 & M2 Macs
  • Mints: a multifunction utility
  • LockRattler: 12.x Monterey
  • VisualLookUpTest
  • Virtualisation on Apple silicon
  • LockRattler: 13.x Ventura
Secondary navigation
  • Search

Post navigation

macOS 10.13.4 Security Update 2018-001 and Safari 11.1 (updated)
Ferdinand Hodler, View to Infinity, 1903-1906

Begin typing your search above and press return to search. Press Esc to cancel.

  • Follow Following
    • The Eclectic Light Company
    • Join 3,125 other followers
    • Already have a WordPress.com account? Log in now.
    • The Eclectic Light Company
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Copy shortlink
    • Report this content
    • View post in Reader
    • Manage subscriptions
    • Collapse this bar
 

Loading Comments...
 

    %d bloggers like this: