Thursday, April 4, 2024

New FileVault Recovery Keys and GoFetch

Howard Oakley:

macOS Sonoma 14.4 and 14.4.1 updates have been prompting some users to create a new FileVault Recovery Key. If you see this as your Mac completes an update, here’s what you should next.

[…]

If your Mac has FileVault turned on, and you opt to use a Recovery Key, check using fdesetup validaterecovery that the Recovery Key is correct whenever it’s changed. Otherwise you could be in for a big disappointment if you ever need to use it.

It’s not clear why some users are being prompted.

Howard Oakley:

The internal SSD in T2 and Apple silicon Macs is connected directly to its Secure Enclave, which performs its encryption and decryption using keys generated and stored within the Secure Enclave.

[…]

All volumes on the internal SSD that are encrypted have a Volume Encryption Key (VEK), protected by two internal keys, one the unique hardware UID from the Secure Enclave, the other from xART and intended to protect from replay attacks. The VEK isn’t exposed outside the Secure Enclave, nor is it handled by CPU cores.

[…]

When a user enables FileVault, a third key becomes involved in protecting the VEK, the Key Encryption Key (KEK), protected by the User Password and the hardware UID. This explains how no decryption and re-encryption is required when changing the User Password, or when enabling or disabling FileVault. Changes to the KEK affect access to the VEK, but don’t change the VEK at all.

[…]

Software encryption, including FileVault, for external storage of Apple silicon Macs may be vulnerable to GoFetch, but there’s no evidence that could affect FileVault encryption performed in the Secure Enclave.

Previously:

Comments RSS · Twitter · Mastodon

Leave a Comment