Filevault individual recovery key creation/regeneration timestamp not reflected permanently on filesystem

Originator:arubdesu
Number:rdar://28045946 Date Originated:27-Aug-2016 05:43 PM
Status:Open Resolved:
Product:OS X Product Version:All 10.7+
Classification:Security Reproducible:Always
 
Summary:
In addition to the issue reported in radar 28034006, being able to correlate the last time a FV2 recovery key was used with the timestamp of when it was last generated (as it could be regenerated/rotated after initiating encryption) allows admins to know that an individual recovery key would need to be escrowed. Currently there is no known/documented way to tell the last time a recovery key was generated for a volume, nor does it seem to persist anywhere on the filesystem.

Steps to Reproduce:
1. Initiate filevault encryption on a computer running 10.12 in system preferences, which generates a personal/individual recovery key. 
2. run sudo log show --debug --info --predicate 'process == "fdesetup"'

Expected Results:
Somewhere in the logs or on the filesystem, a key to the effect of 'personal recovery key last generated date' would be set to a timestamp, or a subcommand of 'fdesetup' would report last time a distinct key became associated with a particular volume.

Actual Results:
There is no documented place on the filesystem or in the log that reflects the time a key became associated with the boot volume and allows FV2 unlock.

Regression:
All OSes that support filevault, including macOS 10.12, Sierra developer preview 7

Notes:
Affected install count: hundreds at Montefiore Medical Group, thousands at Einstein College of Medicine

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!