The last two macOS updates, to 14.4 and 14.4.1, give me a screen that says the File Vault Recovery Key has been changed. That is a rather big deal, IMO. What is going on? Anyone else see this?
MacBook Pro 16″, macOS 14.4
What I just found out is that while I got two panels (after two logins with an account without iCloud) warning me that the recovery key had changed, it actually hadn't!
I tried "sudo fdesetup validaterecovery" on both new ones and the original one, and the 'new' ones returrned false while the original one returned true (phew!)
So, definitely a bug?
What I just found out is that while I got two panels (after two logins with an account without iCloud) warning me that the recovery key had changed, it actually hadn't!
I tried "sudo fdesetup validaterecovery" on both new ones and the original one, and the 'new' ones returrned false while the original one returned true (phew!)
So, definitely a bug?
During the 3 month life of my Macbook, I have had 3 File Vault recovery keys.
I did not opt for an association with the Apple ID.
2 recent updates gave me a new recovery key.
The first time I recieved a new one, I overwrote the original, I didnt think to keep the 'old' one.
The second time, I recieved a new one I did keep the previous.
For both of my new keys I ran:
fdesetup validaterecovery
Both were false, they were not valid keys. I don't have the original to check if that was valid.
When I learned they were invalid, I turned off, and back on the file vault to key a new key.
This time fdesetup validaterecovery was true. The latest key is valid.
Be aware! I just updated to 14.5
Again, there was a request to update the Filevault Key.
HOWEVER, unlike last time, the NEW key is now the valid key.
Previously, the new keys returned false when running
sudo fdesetup validaterecovery
There is imperfect/brittle logic in play. E.g. if the admin account doesn't have an active iCloud login it tries to create and use a new recovery code. Creation of the random code succeeds, actually applying it doesn't. There are many factors that can play a role here including caches (e.g. an icloud login that is imperfectly synced. We know this sometimes happens as we are sometimes told that signing out and in again fixes something. Basically it does suggest sloppy code. And that it happened on one system and not another is easily possible with sloppy code and brittle logic. Trying to find a clear cause or trigger is I guess unlikely here.
I have a M2 Macbook Air, and also got this weird 'new recovery key' screen in the last two updates.
I meticulously copied the recovery key both times because the screen does not let you save or copy it.
I cannot remember ever having set up a recovery key when I first set up my macbook. There are 2 options when you turn on Filevault: set a recovery key or use iCloud. Maybe I chose the iCloud option which would explain why I don't have a record of a recovery key. I would have written that down, 100%.
Testing both 'new' recovery keys with:
sudo fdesetup validaterecovery
got me 'false' for both, even more confusing, while:
fdesetup status
said filevault is still on.
Not being able to tell what the current situation is, and if I could recover in an emergency, I decided to turn Filevault on and off.
This takes literally seconds, not hours or days, on an M2 mac.
It then gives the 2 options again: recovery key or iCloud. I then chose iCloud because this whole recovery key mess makes me nervous.
My theory now is this: after the macOS update you first get a login screen for iCloud/Apple ID. If you skip that (because you have a complicated password and no way of pasting it), the 'new' recovery keys are made.
If you chose the iCloud option for Filevault before, the recovery keys are unfunctional and turn false when validating. I'm not sure but this fits the best with my situation.
To be tested in a next update: take the effort of using the iCloud login screen, and see if the 'new' recovery keys window then appears.
Another weird thing is that while I skipped the login screen after the update, I was still logged into iCloud.
I hope Apple fixes this mess.
Just to summarize my experience.
evoolb wrote:
I am concerned that if someone or a software can change the valid recovery key for my main SSD without my approval, it could also allow unauthorized access to my "encrypted" SSD.
You approved it when you applied the upgrade. The upgrade process has full rights to rebuild the entire hard drive, including changing the recovery key.
My guess is that too many people are contacting Apple support when they get locked out of their computer. Apple support asks them to use their recovery key and everyone asks, "what's that?". So now Apple is putting the recovery key front and centre and making people deal with, and by extension, be aware of it.
There's nothing that triggers a vendor to take action like a support problem.
sxbsxb wrote:
The last two macOS updates, to 14.4 and 14.4.1, give me a screen that says the File Vault Recovery Key has been changed. That is a rather big deal, IMO. What is going on? Anyone else see this?
Does that mean you were given a new key...?
Verify FileVault status from Terminal.app copy and paste:
fdesetup status
verify if FileVault Recovery Key current, copy and paste;
sudo fdesetup validaterecovery
“Enter the current recovery key:” type or paste in your Recovery Key and press ENTER\Return key to continue
(note: your psswd will not echo on screen type it in anyway, use the enter\return key to proceed.)
You will see:
True if the Recovery Key the current key;
False if no
You can turn off FIlevault from System Settings...
you can read more—
If you encrypted your Mac’s boot disk with FileVault 2 —this prevents you from using your Apple ID to reset your password
(since the password is used in FileVault’s encryption). Read this Apple support document for more information about FileVault. ref: Protect data on your Mac with FileVault - Apple Support
macOS utilizes the macOS admin user account password for unlocking Filevault.
more on File Vault2— see HWTech
enter a password to unlock the disk”macin… - Apple Community
This has happened to me too. Reading the reddit threads there was a convincing argument to “Erase all content and settings” and start again. Being on a new machine this wan’t much of a problem so i’ve done this and set-up FileVault again.
Would love an explanation from Apple? Seems like a huge problem to have new keys generated or at least the appearance of new keys generated because of an update.
Yes, I entered the recovery key exactly as it appeared in the unexpected message from Apple but received a 'false' response. Consequently, I decided to generate a new recovery key myself. I turned off FileVault, then turned it back on, and obtained a new recovery key. This time, when I executed the command sudo fdesetup validaterecovery <new recovery key>, the response was 'true'. Since then, my MacBook Pro M3 has been functioning as expected, so I believe it's time to close the book on this issue and move on.
I just upgraded to Sonoma 14.5 and the same thing happened.
Since I have a MacBook Pro with the M3 chip, the file vault is really not important as several people have mentioned, so it's not something for me to worry about. Still, I hate the bogus messages.
I had the same experience as lewismac_ on my MacBook Pro M3. After updating to macOS 14.5, I received the message, "Your FileVault recovery key has been updated" and the new FileVault Recovery Key was displayed. Unlike the previous update to 14.4.1, this new FileVault Recovery Key is now the valid key, as confirmed with the command: "sudo fdesetup validaterecovery". The previously valid FileVault Key before the 14.5 update is now invalid.
sxbsxb wrote:
Or, did I read the documentation correctly that I can turn off File Vault with just my password? And then turn it on later when the disk has been decrypted and turn it on again?
I do want File Vault on -- but I want it working.
I would turn off FileVault while you are able.
After it completed the decryption and you want to continue using FileVault, you can enable it at that time. The process can take some time, let it run...you can use your mac as normal.
At that time I Suspect you have the option to receive a new FileVault pass key...
Then verify it is valid so you can proceed with confidence.
This happened on my M3 Max MacBook Pro 14 when updating to 14.4.1. First it asked me to sign in to iCloud, which I did not do, and then told me that my FileVault key had been updated.
I don't store any recovery information in iCloud. I proceeded to disable and reenable FileVault in order to get a new recovery key.
Maybe this is due to some sort of firmware update?
sxbsxb wrote:
I turned File Vault off. I never noticed a decryption status bar. I left the machine overnight and turned File Vault on this morning. I opted to avoid iCloud and had it generate a new key. When I clicked Continue it said it was calculating how long it would take. Then, within 30 seconds it said it was done. NOT POSSIBLE. I am using 333 GB out of 494 GB capacity.
My less than fully informed understanding of the subject is that this is normal for silicon Macs like yours, which are always encrypted and have been from the get-go. Turning on FileVault provides additional password protection and generates the Recovery Key we’re discussing.
Some of the details can be found here (and I’m sure lots of other places):
https://eclecticlight.co/2023/03/31/why-you-should-enable-filevault/
Why is macOS update creating a new file vault recovery key?