Filevault individual recovery key usage not reflected permanently on filesystem
| Originator: | arubdesu | ||
| Number: | rdar://28034006 | Date Originated: | 26-Aug-2016 02:48 PM |
| Status: | Open | Resolved: | |
| Product: | OS X | Product Version: | All |
| Classification: | Security | Reproducible: | Always |
Summary: Many organizations use individual recovery key escrow as a way to manage administrative access to the computers they own, allowing as few users as absolutely necessary to unlock the disk for regular use. When those keys are used, since they need to be presented to end users (in case they forget a password) or admins in a reliable way for usage, the key should be immediately rotated after use. Currently there is one known way, running fdesetup usingrecoverkey, which does not persist anywhere on the filesystem. Steps to Reproduce: 1. Unlock a filevault-encrypted drive at the pre-boot EFI screen with a personal/individual recovery key. 2. Open terminal and run 'fdesetup usingrecoverkey', which will return 'true' 3. Then restart the computer. Expected Results: Somewhere on the filesystem, a key to the effect of 'personal recovery key used' would be set to a boolean value of true, or 'fdesetup usingrecoverkey' would continue to return 'true' Actual Results: 'fdesetup usingrecoverkey' returns false and there is no documented place on the filesystem that reflects it was used. Regression: All OSes that support filevault, including macOS 10.12, Sierra developer preview 7 Notes: Affected install count: hundreds at Montefiore Medical Group, thousands at Einstein College of Medicine
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!