macOS 10.13 with APFS and FileVault2 encryption enabled deletes personal recovery keys in error

Number:rdar://34940017 Date Originated:11-Oct-2017 01:16 PM
Status:Open Resolved:
Product:macOS + SDK Product Version:10.13.0 17A365
Classification:Serious Bug Reproducible:Always
If you have multiple accounts enabled for FileVault2 on 10.13 using APFS, only the account credentials currently logged in as the console/active desktop user can safely change the personal recovery key.

Any attempt to use an account other than the one visually logged into the Finder/desktop in an automated fashion will generate an error when attempting to change the recovery key and then - in a completely unexpected/erroneous move - immediately delete the current recovery key.

Steps to Reproduce:
- Install 10.12.6
- Create two administrative users (test1 and test2)
- Enable FileVault encryption
- Reboot twice - verifying that both users (test1 and test2) can unlock and log into the device
- Upgrade to 10.13 and verify the filesystem was updated from HFS+ to APFS
- Reboot twice - verifying that both users (test1 and test2) can unlock and log into the device
- Log in with one account (test1) and use: sudo fdesetup changerecovery -personal
- Verify that a new recovery key is generated and displayed
- Open Terminal and type: login    - then log in as the other account (test2)
- As the non-console account, use: sudo fdesetup changerecovery -personal

Expected Results:
A new personal recovery key is generated

Actual Results:
sudo fdesetup changerecovery -personal
Password: <enter second user password>
Enter your password: <enter second user password>
Error: Unable to change key.

The above error message is displayed and no recovery key is generated.

Running sudo fdesetup haspersonalrecoverykey   now returns false where before it returned true, and the prior recovery key no longer works with fdesetup validaterecovery

10.13.0 17A365

Number of devices affected: 37000+

This procedure is confirmed to work just fine with 10.12.6.

Since 10.13 removed the ability to change the recovery key using the current recovery key (it appears to now require a user's password), if an organization attempted to perform automated recovery key rotation in the background using a FileVault2 enabled account, it will not only fail to do so under 10.13 with APFS, it will also erroneously delete the existing recovery key during the process.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!