Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

OS X el capitan encryption keys storage

F

f(x)

macrumors newbie
Original poster
Feb 17, 2016
1
0
hi,

I want to know if os x el capitan stores the decryption keys for a fully encrypted drive in their apple corporation computers? When encrypting the full disk os x el capitan says it stores the encryption/decryption keys in iCloud in case you forget your password. So does this mean that apple or the government can decrypt your hard drive without your permission? please elaborate. thanks for your time.
 
A

Alrescha

macrumors 68020
Jan 1, 2008
2,156
317
If you choose to allow your iCloud account to unlock your disk, then clearly Apple must store the keys on Apple servers. If this is a concern, then do not use that option. Presumably your keys would be protected by your iCloud userid and password, but why needlessly create risk?

A.
 
NoBoMac

NoBoMac

Moderator
Staff member
Jul 1, 2014
6,289
4,986
The option you get when turning on FileVault is not to store the encryption key. What it is offering to store is the recovery key. Should you forget your password(s) for the account(s) on the machine or become corrupt, you can enter your recovery key (if I recall correctly, that option happens after 5 failed attempts using standard login(s)).

Apple says that the recovery key is encrypted by a key made up of your security question answers. Apple claims that they do not store the answers to your questions, just the questions themselves, and that if you forget the answers to the questions, they cannot recover the recovery key.

So, to decrypt your drive, someone first needs physical access to it, and then needs either your user password or the recovery key. Bigger issue with all this is choosing a weak password for your user account, since that is what encrypts the encryption key that encrypts the actual disk encryption key. Recovery key does same function: encrypts the encryption key that encrypts the actual disk encryption key. All these keys are stored on your machine.

As Alrescha said, don't setup your account to use the same password as your Apple ID. Don't use an easy to crack password (read: dictionary attack). And if still concerned, don't save the recovery key with Apple.
 
Last edited:
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom