Running command fdesetup usingrecoverykey returns true after changing the FileVault2 recovery key.

Originator:jckwhet
Number:rdar://FB7800416 Date Originated:6-26-20
Status:open Resolved:
Product:macOS Product Version:10.15,11.0
Classification: Reproducible:yes
 
Description:
After unlocking a machine on 10.15+ using the personal recovery key, running the command ``sudo fdesetup usingrecoverykey `` will show ``true``. But after changing the recovery key and not rebooting running the same command will still return ``true`` even though the machine is no longer unlocked using the recovery key. On previous macOS versions that supported running ``sudo fdesetup usingrecoverykey`` after changing the recovery key it would return ``false``. The current behavior breaks any automation workflow that wants to rotate the recovery key after using it unlock the drive, as it will continue to return unreliable information.

Reproduction Steps:
 - Enable FileVault on a machine running 10.15 or 11.0 with the Personal Recovery option, through System Preferences is fine, take note of the recovery key. 
 - Shutdown the machine.  
 - Type password wrong 3 times
 - Select option that appears to use recovery key
 - Use the recovery key to unlock the machine
 - Change the password, and arrive at the desktop
 - Open terminal.app and run ``sudo fdesetup usingrecoverykey``, it should return ``true``
 - Now change the recovery key using the following command ``sudo fdesetup changerecovery
-personal`` and follow the prompts entering your username and password 
- You should be presented with a new recovery.
- Now that you’ve changed the recovery key run ``sudo fdesetup usingrecoverykey`` again. It should still return ``true`` when in fact it should now return ``false`` This is new behavior from previous versions of macOS that would return false after changing the key.

Expected Behavior:

After rotation of the FileVault recovery key the command ``sudo fdesetup usingrecoverykey`` should return ``false``

Actual Behavior:
The above command still returns true, even though the disk is no longer unlocked using the old recovery key.

Impact Numbers:
  This behavior affects the 8000 machines we currently run automation on, and tens of thousands of other machines at various companies that try the same automation.

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!