Open Radar

 
SETUP: macOS 11.2.1 Big Sur
I)  Productive internal SSD "mac", APFS, FileVault off.
II) Backup external HDD "mac-bk-hdd", APFS, FileVault on.

HOW DID I CREATE "mac-bk-hdd":
a) Clean erase with Disk Utility, then initial Carbon Copy Cloner (CCC) full clone.
b) Boot into "mac-bk-hdd" as main user "sn", activated FileVault in SysPreferences. Initial encryption started. Suspicion: Frontend triggers backend `fdesetup -user user1` and `-usertoadd user2 user3 …` is omitted for some reason.
c) Boot back to "mac". Externally attached "mac-bk-hdd". It continued to encrypt in background til done.

PROBLEM / BUG:
- Booting into clone "mac-bk-hdd" via Startup Manager (ALT-key held down during stattup)
- FileVault login screen only shows main user "sn". But all other users are missing!

OBSERVATIONS:
- Decryption login works ok for main user "sn" and also with personal recovery key.
- The users which are missing on the FileVault login screen got fully cloned (home directory, open directory entry) and can login/logout normally once the FileVault is decrypted. But they miss a corresponding FileVault Key as `fdesetup list -extended` shows.
- Manual adding FileVault users with i.e. `fdesetup add -usertoadd user2` fails with:
Error: Unable to add one or more users to FileVault. (-69594)

EXPECTED:
- Ideally when cloning, cloned users shall get a FileVault key created on the destination volume too. Ideally automatically or at latest when they log in with a dialogue if credentials need to be asked for fresh key generation.
- And at least manually adding with `fdesetup add -usertoadd` should work.
- Mike Bombich and me had an exchange. He recommended me to file a feedback.
-- The problem is maybe not a bug, but a new intended behavior.
-- If -usertoadd indeed does not function anymore then it should be removed in function and manpage.
-- Of if -usertoadd is forbidden only for users of cloned volumes (does the system know?) then give at least a more descriptive error message. Of course I would pity that, because that means you can no longer get bootable clones with FileVault on them!


ALL MY FIX ATTEMPTS FAILED: TL;DR:

0  My first more naive fix attempts with `diskutil updatePreboot` and "Recovery > Disk Utility First Aid" led to nothing.
1  Ran CCC sync again from internal SSD "mac" -> "mac-bk-hdd" to be sure "everything carried over".
2  Booted into "mac-bk-hdd".
2a Users "gn" and "tn" again did not get a FileVault key and do not appear in FileVault login screen.
2b Manually logging them in and out changed nothing. Suspicion "deferred key creation" ruled out too.
2c `fdesetup add -usertoadd` fails with: Error: Unable to add one or more users to FileVault. (-69594)
2d While booted on clone, freshly created users "bs1-bs3" get FileVault key and appear in login screen. All fine!
3  Booted back into internal SSD "mac".
3a Created fresh user "bs4". Gets FileVault key/ID though FileVault off on "mac". Normal behavior.
3b CCC sync again
4  Booted into internal SSD "mac".
4a User "bs4" from "mac" on "mac-bk-hdd" gets home directory but again no FileVault key. Users bs1-bs3 which were only present on clone and hence got deleted by sync leave orphaned FileVault keys behind. Bit of a security concern.
4b `sudo fdesetup showdeferralinfo` -> Not found. # No users queued for key creation. Cannot be the cause.
4c `fdesetup add -usertoadd bs4` fails again with Error (-69594).


IN DETAIL:

0) Ran "diskutil updatePreboot" and "Recovery > Disk Utility First Aid" on "mac-bk-hdd"
Both ran successfully. Nothing changed.

1b) FileVault status on "mac":
➜ ~ sudo fdesetup status
FileVault is Off.
➜ ~ sudo fdesetup list -extended
UUID                                                      TYPE USER
F9████████████████████████████████B6                   OS User gn
44████████████████████████████████14                   OS User sn
34████████████████████████████████25                   OS User ln

1c) CCC: syncing "mac" -> "mac-bk-hdd"
Hoped that with this new sync any missed data from the first sync may carry over now.

2) Booted into clone "mac-bk-hdd"
XProtectService & sypolicyd run for ca 90-120min together.
- Clearly HDD I/O is the bottleneck, CPU is under-challenged.
- This happens after each boot after having clone-synced!
- Until then system defacto blocked.
- Then Spotlight for 5min, but this does not block the system at least.
- In elder macOS the only extra time cost was kernel cache renewal and Spotlight, after at latest 7-8min you were up and running in your clone.
- Also System Preferences > Security & Privacy > Privacy: Most permissions are forgotten and need to be granted again!
- The idea of a clone to me is to have the same configuration without much waiting and effort.
- To simply check out "Did my clone work?" this is way too long!
- Could CCC copy over the "trust information" of XProtectService & sypolicyd to avoid the big wait for stuff that was anyhow already checked as safe?
-- Bombich says you at Apple have your reasons for this. It will stay that way most likely. Does it?

2a) ➜ ~ sudo fdesetup list -extended
UUID                                                      TYPE USER
44████████████████████████████████14                   OS User sn
EB████████████████████████████████AC  Personal Recovery Record
Users "gn" and "ln" got no corresponding FileVault key!

2b) Logging in user "ln" which was fresh on original. Run through "first use wizard".
Logging in user "gn", normal login.
In both users on logout there was no info/prompt like "Setting up your FileVault keys now".
➜ ~ sudo fdesetup showdeferralinfo
Not found.
Deferred FileVault key creation cannot be the problem.
Will try to add users manually.

2c) ➜ ~ sudo fdesetup add -usertoadd gn
Enter the user name:gn
# Offtopic, but bad UX: Why ask username again if already supplied via argument?
Enter the password for user 'gn':
Enter the password for the added user 'gn':
Error: Unable to add one or more users to FileVault. (-69594)

Tried it twice with "gn". Then also with "ln". Failed all times.
On purpose entered wrong PW, then failed with another error:
OD user 'gn' could not be authenticated.
So there's something indeed wrong here!

2d) Creating new users "bs1", bs2" and "bs3" via System Preferences > Users & Groups
Checking whether they got FileVault keys automatically:

➜ ~ sudo fdesetup list -extended
UUID                                                     TYPE USER
44████████████████████████████████14                   OS User sn
EB████████████████████████████████AC  Personal Recovery Record
A6████████████████████████████████94               OS User bs1
44████████████████████████████████92               OS User bs2
68████████████████████████████████1F               OS User bs3

All bs* users were immediately added as FileVault users.
Rebooting. All bs* users are shown on FileVault login screen too.
Authenticating them works too. All fine!

3) Booting back into internal SSD "mac".

3a) Creating new user "bs4" in "mac". Logging in as bs4. Running first use wizard.
Got added as FileVault user automatically, as can be seen here:
➜ ~ sudo fdesetup list -extended 
UUID                                                      TYPE USER
0E████████████████████████████████F5                   OS User bs4

3b) Now let's see whether user "bs4" gets synced over and gets a FileVault key and whether "bs1-3" get erased and optimally get their FileVault key destroyed too.

CCC: syncing "mac" -> "mac-bk-hdd"
7850 files, total 16.17 GB.
Quite a lot as I mostly changed nothing besides the new user "bs4".
A lot of things go on a system during 1h of idle use. Nevertheless suspiciously much data.

4) Booting into "mac-bk-hdd".

XProtectService and syspolicyd again ran for 90-120min leaving the system more/less blocked.

4a) ➜ ~ sudo fdesetup list
UUID                                                      TYPE USER
44████████████████████████████████14                OS User sn # My main user
EB████████████████████████████████AC  Personal Recovery Record # Created during FileVault activation
A6████████████████████████████████94              Unknown User # By UID this is user bs1.
44████████████████████████████████92              Unknown User # By UID this is user bs2.
68████████████████████████████████1F              Unknown User # By UID this is user bs3.

# Users bs1-bs3 only existed on the clone "mac-bk-hdd".
# The next CCC sync:
## Deleted the bs1-3 users. Their FileVault keys remained "orphaned" hence "Unknown User".
## Either CCC or Apple should have a mechanism to remove those!
## Because at least in theory those users were deleted for a reason, but could potentially still gain access to the backup later.

4b) sudo fdesetup showdeferralinfo -> Not found. # No users enqueued for key creation. Cannot be the cause.

4c) `fdesetup add -usertoadd bs4` fails again with same error:
➜ ~ sudo fdesetup add -usertoadd bs4
Enter the user name:bs4
Enter the password for user 'bs4':
Enter the password for the added user 'bs4':
Error: Unable to add one or more users to FileVault. (-69594)