Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
T2 Security Chip and FileVault
- Thread starter kd1
- Start date
- Sort by reaction score
Assuming they were available, would they be able to retrieve the data using such programs? Not that I am worried at all about such an instance. But at this point I am genuinely curious since it seems there are one or two people offering different information here, lol. And the post has taken a strange turn.
I am curious now how secure a cryptographic erase is vs forensic software. My understanding is that even with forensic software, the best it could do is see data that is currently on the drive, not stuff that was previously cryptographically erased. Is this assumption correct?
This has turned into an interesting discussion and I really am learning a lot, so thank you all! I have used the Mac system for years but never bothered to delve into how things work. I enjoy learning about the various security measures they have in place to keep our data safe.
@chrfr @iStorm @mr_roboto
Do you understand how ridiculous your defamation bluster is? You're posting under a pseudonym, and criminal defamation isn't even a thing where I live.
Also, what you didn't see (because the moderation team here chose to edit it out of my post) is that I offered a second possibility: that you were just ignorant. I think that's what we have here.
There is nothing known that can recover data from a T2 or Apple Silicon Mac which has been erased with Apple's "Erase all content and settings" feature. To understand why, we will have to do a shallow dive into how Apple's disk encryption feature works on these computers, and into how that Passware product works. I am going to gloss over a lot of details to avoid going too deep into the weeds.
To unlock a FileVault volume, roughly the following steps take place:
1. User credentials (username/PW) are submitted to Apple's Secure Enclave (SE)
2. SE uses these credentials to decrypt a volume encryption key (VEK)
3. (Operational mode) SE uses the VEK to encrypt disk writes and decrypt disk reads
The important thing to understand is that user data is not encrypted directly with the user's password, only with the VEK, and the VEK never leaves the Secure Enclave. It's generated by a true random number generator (TRNG) inside the SE when you create the volume. The SE stores the VEK and other secrets it holds on behalf of the user inside a nonvolatile secure memory cryptographically paired to that specific Secure Enclave.
For all practical purposes, it's impossible to guess the VEK. Nobody has broken AES in its two decades of existence so far, and a 256-bit key means a brute force guessing attack would take an absurd length of time (think billions of years minimum) to complete.
The vulnerable link in this chain is the user's password, because it decrypts the VEK. People can't memorize 256 bits of pure randomness, so inevitably their passwords are much weaker than the VEK itself. In fact, most people choose really bad passwords. So, Apple's SE has two features to protect against brute force password guessing. One is that it rate-limits how fast you can try passwords, the other is that after too many consecutive wrong guesses it will erase all secrets protected by the user's credentials, including the VEK. Erasing such secrets can also be done on request; this is how Apple's "Erase all content" feature works. Once the VEK is gone, user data is effectively gone, same as if you'd erased all the flash.
So what does Passware actually do, then? To start with, they are not selling a product which can recover data from an erased Mac. Instead, they are selling a forensics solution intended to recover data from an un-erased device - typically, a computer seized by law enforcement.
Their product only covers Intel Macs, both with and without T2 chips. The "Intel without T2" case means there's no Secure Enclave in the picture, which makes it far simpler to do brute force password attacks. You can even image the machine and do them offline.
For T2 Intel Macs, Passware relies on the "checkm8" exploit. This is a security flaw in Apple's A10 boot ROM; it affects T2 as well because T2 was an A10 derivative. checkm8 doesn't give an attacker total control over A10/T2 - most notably, you don't get arbitrary code execution on the Secure Enclave Processor (SEP). However, what Passmark was able to do is figure out a technique to prevent the SE from erasing secrets after too many wrong guesses.
That opens the door to password cracking, but guesses are still rate-limited by the Secure Enclave. Therefore, Passware's product is based on reducing the search space by trying a dictionary of common bad passwords, and passwords obtained from data breaches.
Passware's T2 password recovery product will not work on:
1. Any Apple Silicon Mac - there are no known boot ROM exploits like checkm8 for A12 onwards, so they do not claim it can work on anything but T2 Macs
2. A T2 Intel Mac secured by a password that is (a) strong and (b) unique to that Mac (meaning it cannot be revealed by a website data breach - don't re-use passwords, folks)
3. Any Mac erased by Apple's "Erase all content and settings" feature
1 & 3 are hard fails, zero chance of success for Passmark. 2 is a soft fail because in principle the attacker can try random passwords long enough to find the real one. The rate limit is about 15 password tries per second, so you may have to wait years to crack a strong password. On the other hand, if the password is something weak like a couple English dictionary words pasted together, it's probably going to crack it quite fast.
Now THIS is what I am talking about. This was such a detailed and informative answer on how the SE works, as well as how Apple has gone to extreme lengths to protect our data. Thank you so much for taking the time to type this out. You have definitely eased many of my curiosities on how the system works. I had even called Apple support to ask them how this all works, and noone was able to give me answer and suggested I try a forum site, lol!
I did want to clarify one thing from your post to make sure I understand. Am I looking at this right? User password—>VEK? As in, the user password is an extra layer of security but not completely necessary? With a cracked password, someone could theoretically get the VEK key and have access to your data but ONLY if it has not been wiped with Apple’s Erase all content and settings feature. But with a Mac that has filevault turned on, and a password, AND has been reset using Apple's Erase all content and settings feature, the data is GONE, right? My understanding of forensic recovery software is that it can only recover data from a device that is still retaining the data per se, not something that has been cryptographically erased. As in, a device that has nuclear secrets that were just moved to the recycle bin and “emptied”. With a cracked password it can be accessed. And especially not an Apple device that has a password and VEK that were wiped. But with a Mac that had nuclear secrets that had been wiped, that data is gibberish now because the VEK key is lost. Even if you found the password, you still couldn’t access the old VEK key and gain the nuclear secrets. Is this assumption correct? I don’t even know if I am making sense, lol.
You are making sense, and your interpretation is correct. The user password's role is to decrypt the tiny amount of storage containing the VEK, and the VEK is the key needed to actually read and write user data. Thanks to the strength of the encryption algorithm Apple uses for user data (AES-256), this system design makes it possible to cryptographically erase all user data by destroying the VEK, which takes very little time.
Theoretically, someone may someday figure out how to break AES-256. That would allow recovery of data after key destruction. Several early encryption algorithms failed to hold up under long-term scrutiny, or used small key sizes which became possible to brute force in a very short time as computing technology advanced. However, AES is a much more modern cipher design than those early weak ones. It has stood up to 20 years of researchers trying to break it, and there are no compute power advances on the horizon which will allow brute forcing a 256-bit key before humanity is extinct, so I personally consider it to be a very unlikely possibility.
I am going to try and type out what I think I learned. Can you consider it a test and grade me to see if I fully understand all of the information you gave me? lol. Thanks. If I “pass” I will consider myself newly informed about this subject and will be able to leave this thread satisfied.
1. The SE holds the VEK, which is created by a TRNG. The VEK is needed to read and write data to the drive.
2. The user password is an added layer of security which allows you to lock and unlock the VEK.
3. On a un-erased/non-reset (normal everyday use computer) Mac M2 with no password protection, the VEK is visible/discoverable by anyone and therefor all data on the drive currently is readable/accessible. But this is only data on the current drive, and any data that was previously erased and reset is still lost due to the previously destroyed VEK.
4. On a reset M2, with password protection, the VEK is inaccessible unless someone knows the password or can brute force it. However, Apple has measures in place to prevent too many incorrect guesses of the password, and will destroy the VEK after too many failed attempts, therefor making all data unrecoverable by any software whatsoever.
5. On a reset/erased M2 using Apple’s erase feature, the VEK is destroyed, making all data completely unrecoverable, unless somehow you crack the VEK.
6. Forensic recovery software of the highest level, like Passware or Cellebrite’s Macquisition AKA Digital Collector, can at most recover data from the T2 security chip and M1s. Even then, it still requires the data to not be cryptographically erased and needs to be a non reset Mac (AKA just a computer that you are using everyday). And even then, it won’t be able to acquire data that is previously sanitized/protected by the recently destroyed VEK.
7. Filevault encrypts the entire blocks/sectors of data on the drive, not just individual files.
In summary, having a strong password, filevault enabled, and using Apple’s Erase all feature, essentially means that the previously reset data is gone forever and can never, ever be recovered using modern computing methods.
*** Which does bring up an interesting thought for me. Let’s say I "Erase all" three times in a row, but not before loading the drive with 50gb of music each time. Erasing all three times in a row creates three separate VEKs, and basically cryptographically erases three times. Does the third erase write over the two previous erases? Or are there technically three separate VEKs with their associated encrypted data floating around on the drive, with potential to be unlocked assuming someone had the password to all three?
What is my score? lol
Last edited:
I don't think AES could stand up to an assault by a theoretical quantum computer though. While such a computer doesn't exist today, it is conceivable that it may exist in the fairly near future. There are new cryptographic algorithms that are thought to be quantum-resistant but as far as I know, no one is using them yet outside of academia.
Mostly pass. I think you may have gotten the impression that M1 and M2 are on a different footing? They're not, Passware and Digital Collector don't have any way to image a M series Mac with FileVault turned on. (Be careful when you visit the product marketing pages for these guys, I think you might have visited the Cellebrite product page and it is somewhat vague about what it actually does for M1, I suspect it's just "if you have a M1 Mac with FileVault turned off, or you know the password, we can forensically image it", which is not as exciting as what they'd like you to think. Marketing!)
Also, re: #3, the VEK is actually never discoverable. Unencrypted VEKs never leave the Secure Enclave.
There's actually not a lot of difference between a T2 or AS Mac with FV on or off. In both cases, user data volumes are always encrypted with a VEK held securely inside the SE. The differences are that:
While FV is off: At rest (meaning while stored in the SE's small nonvolatile key storage memory), the VEK is encrypted only by a secret private to that specific Secure Enclave. The SE will decrypt and use the VEK on request without requiring user secrets.
While FV is on: At rest, the VEK is encrypted by a combination of the SE's private secret and user secrets (password, recovery key). User secrets must be provided to start using the VEK, and the rate limiting and max-attempts protections are active.
Yes, this design does mean that if your Apple SoC dies, so does your data. You can't remove the data and key storage flash and put it in another Apple Silicon Mac, because its Secure Enclave won't know the other Secure Enclave's private key, and thus won't be able to decrypt anything in the key storage memory.
Use backups!
(also, as a side note: Remember how I said I was gonna gloss over details? Even this description is doing that, and I'm going from memory rather than being fresh on Apple's documentation of how this all works. Crypto systems can get kinda intricate, so I'm trying to give you the broad truth rather than writing a book.)
A cryptographic erase only destroys the key. The data storage technically remains intact and un-erased, but without the key, it's just so much noise. (Literally noise - one property of a good encryption algorithm is that its encrypted output is indistinguishable from noise, regardless of choice of key and input data.)
With Apple's Secure Enclave, key storage is a separate nonvolatile memory from the main SSD flash memory. When you "Erase all", Apple's software erases the key, then creates a new key and encrypted user data volume. This new volume partially overwrites the flash used for the old one, and as you write more to it, more of the old data becomes truly irretrievable (because it's overwritten) rather than merely impossible-odds irretrievable.
So, after three "Erase All"s in a row, you'll have one key (the others got destroyed), a volume secured by that key, and fragments of old data volumes encrypted with unknown keys, residing in disk blocks not yet overwritten by the latest user data volume.
Shor's algorithm allows a theoretical large quantum computer to factor large integers much faster than conventional computers, which would enable attacks against public key cryptography algorithms that depend on the difficulty level of integer factorization in conventional computers.
However, AES doesn't depend on integer factorization, and thus shouldn't fall victim to Shor's, even if someone actually manages to make a quantum computer large enough to do useful things with. As I understand it, quantum computing isn't generally thought to pose an existential threat to symmetric key algorithms like AES - at worst, you double the key size, and that's enough to take care of it. We're already there, as even AES-128 would be good enough to secure data against conventional computer based attacks, and Apple's using AES-256.
Well I don’t know enough about it but why is the NIST researching quantum-resistant crypto if AES-256 is good enough?
Edit:
NIST to Standardize Encryption Algorithms That Can Resist Attack by Quantum Computers
Last edited:
Different algorithms for different purposes. AES and other private-key ciphers use very different mathematical foundations than public key ciphers.
Private-key crypto means you use the same key for both encrypting and decrypting data, and only the sender and receiver can know that key or the channel will not be secure. Public-key crypto means the sender of the message has a key pair: one part of the pair must remain private, only known by the sender, the other public key can be distributed to anyone. In public key crypto, only the owner of the private part of a key pair can create messages decryptable by the public key. This allows cryptographic signatures - think "this website really is who they say they are".
Public key crypto is really important for secure WWW tech, because to establish a secure connection to your bank you need to reliably identify that nobody is impersonating your bank. But it's not needed in an application like full disk encryption, where you just need a secret key to encrypt some data.
So, it's a big deal that quantum tech might significantly weaken existing public-key ciphers, but it doesn't affect the entire universe of encryption algorithms.
Just to add to mr_roboto’s answer:
I normally refer to the encryption types as symmetric and asymmetric. AES is symmetric (same key used for encryption and decryption). RSA is asymmetric because each key pair is made up of a private key that you keep to yourself, and a public key that you give to others. RSA is what underpins HTTPS/TLS and keeps websites secure, as it’s used to exchange an AES key and validate that the website is who they say they are. There’s a lot more to asymmetric encryption that enables this (digital signatures, for example), but let’s skip that for now.
RSA in particular uses two very large prime numbers as the private key. When you multiply those two primes together, you get another value that is the public key. The public key is only secure so long as someone can’t factor this one very large number and recover the two prime numbers that make it up. Because the public key can only be factored to the two primes, and factoring numbers this large using classical computer algorithms is slow, the public key is considered safe so long as it’s large enough. This is why you need a much larger RSA key than you do for AES, and I remember back in the 90s, 512 to 1024 bits was considered sufficient, but these days those are considered to be at risk and NIST suggests a minimum of 2048 bits. So as computing power has increased, so has the size of the prime numbers you need to use to keep the public key unfactorable.
Shor’s algorithm is a fast way to factor large numbers, so long as you have a suitable quantum computer. But if someone found a sufficiently fast classical method to factor these numbers, RSA is still in trouble.
RSA is a rather old algorithm, dating back to the late 70s. It is effectively the last cipher from that era still in common usage today, and considering how many ciphers from that era have fallen, I’m a bit surprised it has lasted this long.
You can't rely on TRIM deleting the data to prevent recovery. The only way to be entirely sure is to erase all copies of encryption key or to physically destroy the SSD.
Apple actually used to offer a "secure delete" trash option, but removed it because of security issues that they can't truly guarantee a file is unrecoverable when deleting from SSDs. Even if they forced the storage controller to delete the block, it's not a guarantee that the data is not recoverable.
For those unfamiliar, double the key size is because of Grover's algorithm, which is a quantum search algorithm that's the best (publicly) known algorithm to attack AES. Besides, AES-128 is likely safe enough to withstand quantum computers as well.