`fdesetup list` is reporting personal recovery keys as enabled users on 10.13 Beta 4 build 17A315i
Originator: | rtrouton | ||
Number: | rdar://33610347 | Date Originated: | 29-Jul-2017 09:25 PM |
Status: | Open | Resolved: | |
Product: | macOS + SDK | Product Version: | 10.13 Beta 4 (17A315i) |
Classification: | Security | Reproducible: | Always |
Summary: When testing APFS encryption, I noticed that running the following command with root privileges reported both the single FileVault-enabled user and a second enabled user listed as `(null)`. fdesetup list Steps to Reproduce: 1. Install macOS 10.14 Beta 4. build 17A315i 2. Convert boot drive to Apple File System (APFS) as part of OS installation 3. Turn on encryption on APFS boot drive and enable one user 4. Run the following command with root privileges to check the list of enabled users: fdesetup list Expected Results: I expected to see the following output: computername:~ username$ sudo fdesetup list username,8B2A80E9-4223-4123-9178-32B43A69A46E computername:~ username$ Actual Results: I saw the following output: computername:~ username$ sudo fdesetup list username,8B2A80E9-4223-4123-9178-32B43A69A46E (null),EBC6C064-0000-11AA-AA11-00306543ECAC computername:~ username$ Version: 10.13 Beta 4 (17A315i) Notes: When I checked the list of enabled users using a different method, I saw that an entry with the same UUID (EBC6C064-0000-11AA-AA11-00306543ECAC) was listed as `Personal Recovery` (see attached screenshot.) computername:~ username$ sudo fdesetup list username,8B2A80E9-4223-4123-9178-32B43A69A46E (null),EBC6C064-0000-11AA-AA11-00306543ECAC computername:~ username$ diskutil apfs listCryptoUsers disk1s1 Cryptographic users (2 found) | +-- 8B2A80E9-4223-4123-9178-32B43A69A46E | Type: Local Open Directory | +-- EBC6C064-0000-11AA-AA11-00306543ECAC Type: Personal Recovery computername:~ username$
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!