fdesetup changerecovery deletes recovery keys (10.13.1/17B46a)

Originator:brunerd
Number:rdar://35258997 Date Originated:10/30/2017
Status:Dupe/Closed Resolved:
Product:macOS + SDK Product Version:10.13.1/17B46a
Classification:Security Reproducible:Always
 
Area:
Terminal

Summary:
fdesetup will delete the Filevault 2 Recovery Key on a "changerecovery -personal" operation if given A) an incorrect password or B) the valid password of a user who is not the current console user
The is a security bug that results in data loss.

Steps to Reproduce:
Install 10.13, update to beta 5 (occurs in betas 1-4 also)
Enable Filevault via Security Preference pane, note the recovery key
Allow encryption to finish
Add another user via Users and Groups preference pane
Open Terminal
Run: fdesetup list
Note there should be 3 entries: the two users and (null) the recovery key entry
Run "fdesetup changerecovery -personal"
Supply either:
A) an incorrect password 
B) the 2nd user created who is not the current console user
Run: fdesetup list
Note (null) is not there
Run: fdesetup validaterecovery
Enter recovery key given at encryption, it returns false, the recovery key has been deleted

Expected Results:
When running "fdesetup changerecovery -personal"
A) An incorrect password should simply error out with "Error: Unable to unlock FileVault." and exit with exit status 11
B) Given ANY valid filevault2 password generate a new key

Actual Results:
In both cases
A) incorrect password given and 
B) password of non-console user given

"Error: Unable to change key", with exit status 136
!!! Recovery key is deleted !!!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Version/Build:
10.13.1/17B46a (beta5)

Configuration:
Tested on APFS not converted from JHFS+
10.13 installed via createinstallmedia to non-encrypted APFS container
Drive was not converted. APFS drive created using 10.13 Disk Utility

Notes/Regression:
The behavior did not occur in 10.7, 10.8, 10.9, 10.10, 10.11 or 10.12. Regression is new to 10.13. It is also counter to the advice given in the man page of fdesetup(8): "It is not recommended that you remove all recovery keys since, if you lose your FileVault password, you may not be able to access your information." This is precisely what this behavior is doing. Also the typo "volune" appears in the man page as well.

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!