Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Encryption key, changed and/or not?

Sciuriware

Sciuriware

macrumors 6502a
Original poster
Jan 4, 2014
813
184
Gelderland
Hi all,
I just upgraded 2 systems to 14.5
One rebooted at completion without a single message or question.
The other did and announced a different encryption key for the disk.
I seem to remember that this happened exactly once before.
What's the difference? #1 is a MacBook M2, #2 is a Mac Studio M1.
Any ideas?
;JOOP!
 
Here is an explanation. It explains that although you were presented with a new recovery key, you should validate it. for me, the new recovery key I got didn’t actually replace my original key.

eclecticlight.co

What to do when offered a new FileVault Recovery Key

You’ve just updated to 14.4 or 14.4.1 and are prompted to set up a new Recovery Key for FileVault. What do you do next, and how should you check the key?
eclecticlight.co eclecticlight.co
 
  • Like
Reactions: CoastalOR, frou and KaliYoni
chabig said:
Here is an explanation. It explains that although you were presented with a new recovery key, you should validate it. for me, the new recovery key I got didn’t actually replace my original key.

eclecticlight.co

What to do when offered a new FileVault Recovery Key

You’ve just updated to 14.4 or 14.4.1 and are prompted to set up a new Recovery Key for FileVault. What do you do next, and how should you check the key?
eclecticlight.co eclecticlight.co
Click to expand...
I get the feeling that APPLE only made things more complicated.
So I choose to store any key and/or password away, do not use iCloud and forget about everything.
Thanks any way.
;JOOP!
 
Sciuriware said:
I get the feeling that APPLE only made things more complicated.
So I choose to store any key and/or password away, do not use iCloud and forget about everything.
Thanks any way.
;JOOP!
Click to expand...
No, it doesn’t work perhaps the way you think.

In cryptographic systems, we have many, many keys. There are keys which protect other keys, for example. So your disk may be encrypted with a key, but that is not the key which Apple gives you. There are perfectly valid reasons for this, but suffice to say, if for some reason Apple believes that one of the key storage methods may potentially be compromised, it will change out that key, and if that key is user-facing, like in this case, it will present it to you. Other times, keys can be changed and you don’t know, because they are under the hood. If you look at Apple’s keychain manager, you’ll see loads of keys you never thought existed.
 
🤔
Based on this tiny sampling, it’s a mobile vs. desktop Mac difference as my Mac mini generated a new key related to the macOS 14.5 (upgrade) install but the MBP apparently didn’t.

chabig said:
Here is an explanation. It explains that although you were presented with a new recovery key, you should validate it. for me, the new recovery key I got didn’t actually replace my original key.

eclecticlight.co

What to do when offered a new FileVault Recovery Key

You’ve just updated to 14.4 or 14.4.1 and are prompted to set up a new Recovery Key for FileVault. What do you do next, and how should you check the key?
eclecticlight.co eclecticlight.co
Click to expand...
The new key validated (i.e., “true”).

Alameda said:
In cryptographic systems, we have many, many keys. There are keys which protect other keys, for example. So your disk may be encrypted with a key, but that is not the key which Apple gives you. There are perfectly valid reasons for this, but suffice to say, if for some reason Apple believes that one of the key storage methods may potentially be compromised, it will change out that key, and if that key is user-facing, like in this case, it will present it to you. Other times, keys can be changed and you don’t know, because they are under the hood. If you look at Apple’s keychain manager, you’ll see loads of keys you never thought existed.
Click to expand...
Yes, although...

Volume encryption with FileVault in macOS

In Mac OS X 10.3 or later, Mac computers provide FileVault, a built-in encryption capability to secure all data at rest.
support.apple.com

I didn’t change my user password (and I assume @Sciuriware didn’t as well). And the UID is fused into the Secure Enclave. Therefore, that seemingly leaves only a change to the methodology (i.e., algorithm) of the encryption, which there are many valid reasons to do so. Curiously, why wouldn’t it be necessary and implemented on all related Macs (e.g., only M1 series, only M1 base). Is it essential for us, the users, to know? Nope, but it is a light head scratcher at the minimum.
 
Thanks to everybody trying to make things clear.
Being a computer specialist myself, I can imagine that many 'ordinary' users feel like in a jungle this way.
Many good reasons to keep your passwords safe.
;JOOP!
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back