The Key From Before Enabling FileVault
The behavior I observe implies that turning on FileVault and supplying a password does nothing more than encrypt the encryption key already there using the user-supplied password (and presumably a random salt value or vice versa). Because if the data is already encrypted, the decryption key and/or salt value either must remain the same, or all the data must be decrypted and re-encrypted.
Which suggests some level of security risk since that key already existed without the password protection of the user-supplied encryption password. I presume that the T4 secure enclave somehow forestalls this security risk, but I do not know the details. Maybe there is some per-chip specificity that forestalls a general security weakness. Even so, that assumes hardware invulnerability, which is not possible.
I have been wondering about that, too.
3 Comments RSS · Twitter
I just got a new 2018 Mac mini and have encountered a critical bug after enabling FileVault.
Last night, I enabled FileVault on my 2018 Mac mini from within System Preferences. This morning, when I booted my Mac after shutting it down (the first boot after turning on FileVault), I was prompted to enter my password to sign in, and it didn’t work! After a few incorrect tries, I was prompted to enter my FileVault Recovery Key, so I entered my carefully recorded Recovery Key, and that didn’t work either.
So basically I am now completely locked out of my Mac, with no way to recover my data.
Here’s the crazy thing: if I boot into Recovery Mode (holding cmd-R at boot time) and then try to launch Terminal from within Recovery Mode, I am prompted for my administrator password to open Terminal. If I enter my password there, it works!
So somehow the system installed in Recovery Mode has my correct password, but BridgeOS or EFI or whatever controls the early boot process for volumes with FileVault enabled is borked and won't accept my password, so now I am permanently locked out and I’m going to have to restore my entire Mac. :-(
Be very careful when turning on FileVault on T2 Macs. When you reboot your machine, you may be in for a nasty surprise, like me.
@Jeff Hunter,
You seem to be pretty knowledgeable here, can you update us on your findings? Do you have only a single user account on this Mac? Did you find any mention of this problem elsewhere?
To be fair, Apple does mostly document this process:
https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf
Yes, the UID:
Yes:
And:
(That page also features a figure of the key hierarchy.)
It’s not entirely clear to me how this works (I assume the password never actually becomes part of the key-derivation function?), but people who know more about cryptography than I do (which ain’t hard) will probably be able to glean some more information from Apple’s document.