fdesetup changerecovery deletes recovery keys (10.13.1/17B46a)
Originator: | brunerd | ||
Number: | rdar://35258997 | Date Originated: | 10/30/2017 |
Status: | Dupe/Closed | Resolved: | |
Product: | macOS + SDK | Product Version: | 10.13.1/17B46a |
Classification: | Security | Reproducible: | Always |
Area: Terminal Summary: fdesetup will delete the Filevault 2 Recovery Key on a "changerecovery -personal" operation if given A) an incorrect password or B) the valid password of a user who is not the current console user The is a security bug that results in data loss. Steps to Reproduce: Install 10.13, update to beta 5 (occurs in betas 1-4 also) Enable Filevault via Security Preference pane, note the recovery key Allow encryption to finish Add another user via Users and Groups preference pane Open Terminal Run: fdesetup list Note there should be 3 entries: the two users and (null) the recovery key entry Run "fdesetup changerecovery -personal" Supply either: A) an incorrect password B) the 2nd user created who is not the current console user Run: fdesetup list Note (null) is not there Run: fdesetup validaterecovery Enter recovery key given at encryption, it returns false, the recovery key has been deleted Expected Results: When running "fdesetup changerecovery -personal" A) An incorrect password should simply error out with "Error: Unable to unlock FileVault." and exit with exit status 11 B) Given ANY valid filevault2 password generate a new key Actual Results: In both cases A) incorrect password given and B) password of non-console user given "Error: Unable to change key", with exit status 136 !!! Recovery key is deleted !!! ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Version/Build: 10.13.1/17B46a (beta5) Configuration: Tested on APFS not converted from JHFS+ 10.13 installed via createinstallmedia to non-encrypted APFS container Drive was not converted. APFS drive created using 10.13 Disk Utility Notes/Regression: The behavior did not occur in 10.7, 10.8, 10.9, 10.10, 10.11 or 10.12. Regression is new to 10.13. It is also counter to the advice given in the man page of fdesetup(8): "It is not recommended that you remove all recovery keys since, if you lose your FileVault password, you may not be able to access your information." This is precisely what this behavior is doing. Also the typo "volune" appears in the man page as well.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!