The last two macOS updates, to 14.4 and 14.4.1, give me a screen that says the File Vault Recovery Key has been changed. That is a rather big deal, IMO. What is going on? Anyone else see this?
MacBook Pro 16″, macOS 14.4
What I just found out is that while I got two panels (after two logins with an account without iCloud) warning me that the recovery key had changed, it actually hadn't!
I tried "sudo fdesetup validaterecovery" on both new ones and the original one, and the 'new' ones returrned false while the original one returned true (phew!)
So, definitely a bug?
sxbsxb wrote:
Still puzzled with the bogus keys generated when updating. I am betting it's because Apple developers didn't test without iCloud as most of them would be using it.
The last paragraph of this article and the comments following it (especially those by the article's author) purport to provide context to what′s occurring.
It doesn′t, however, address the serious security issue that′s being created for those who unwittingly accept new FileVault Recovery Keys that aren′t in fact valid.
Another unresolved issue, of course, is the status of the Recovery Keys generated for those who opt to have their Recovery Keys escrowed to iCloud and who have no way to validate their keys, even if they wanted to do so, since they never see them.
DEFCON 3 wrote:
The last paragraph of this article and the comments following it (especially those by the article's author) purport to provide context to what′s occurring.
Don't get your information from social media influencers.
Another unresolved issue, of course, is the status of the Recovery Keys generated for those who opt to have their Recovery Keys escrowed to iCloud and who have no way to validate their keys, even if they wanted to do so, since they never see them.
It is important to remember that the FileVault recovery keys are just that - for last-ditch recovery. Your account password will continue to unlock FileVault. I recommend maintaining an additional Administrator account that you don't screw around with as a fallback.
I've been using FileVault for many years and I've never needed to use a recovery key. People should be realistic. Anyone who manages to forget their login password probably isn't going to be able to find their recovery key either. The recovery key is a "warm fuzzy" that Apple really has to provide because people would freak out otherwise. But you'll never need it or use it.
Re: “… There is no Recovery Key provided [to the user setting up the Mac]…”
That’s been the MacOS behaviour for quite some time IF one elected to save the FV Recovery Key to iCloud.
Is this indeed the option you selected?
(Previously, the Recovery Key was only displayed to the user IF he/she elected to NOT save it to iCloud.)
OK, this is bad. I updated a MBP to Sonoma 14.5, I got the question to login to an iCloud account, I logged in, it asked me if I want that iCloud account to be able to unlock the disk, I said no, I received a recovery key.
I wrote that down as 'new fake recovery key', but afterwards my old recovery key isn't valid anymore and the new one is. So, it actually changed the recovery key.
What is horrible about this is that I manage this system for elderly family members (at a distance), and if a next update does the same, I run the risk I'm not there to write this down and the recovery key will be lost.
I think the problem is in the iCloud stuff
Re: “… I manage this system for elderly family members … if a next update does the same … “
Your concerns about “unsupervised updating” are well-founded.
While slightly off-topic; you might mitigate this risk if you used an “administrator” account, while your family members used more-limited “standard” accounts.
While I’m not yet running Apple silicon hardware to test it myself …
… I suspect that these sorts of “substantive” updates can only be performed by an “administrator.”
So, it just happened to me again. Here it seems to be like this:
it forces the creation of new recovery key, overwriting the existing recovery key.
This is really bad. macOS should leave my recovery key alone unless I want to change it.
I use a separate local admin account (good security practice) without storage of my recovery key in iCloud. When I do this, macOS should not damage it.
evoolb wrote:
Any recommendation what to do now?
Try the key that you had prior to this event. It's likely still valid. If not, create a new one.
sxbsxb wrote:
The last two macOS updates, to 14.4 and 14.4.1, give me a screen that says the File Vault Recovery Key has been changed. That is a rather big deal, IMO. What is going on? Anyone else see this?
I haven't updated to 14.4.1 yet, but this occurred to me as well during the recent 14.4 update.
I wasn't frankly paying attention during the initial reboot after the update, and consequently can't recall the actual process; but at the point at which I realized that I was to be given a new FileVault Recovery Key, I opted, perhaps ill-advisedly, to force a system shutdown. The machine then rebooted normally and my existing, locally stored Recovery Key remains valid. So no harm done.
I've seen reports of this same issue on other forums, but unfortunately no advice on how to circumvent or suppress it, much less an explanation of its rationale (if there actually is any).
There’s a discussion of this same issue in the context of the 14.4 update here on Reddit.
I notice that one of the replies states: “There’s something off because when I try to validate recovery command with the new key it returns False, but if I use the old recovery key it returns True.” Which is consistent with sxbsxb's experience — but doesn't make obvious sense.
louisstormfront wrote:
Would love an explanation from Apple?
This is a user-to-user support forum. If there is any constant in the universe, it is that Apple is never going to explain any of this - not ever.
It sounds like everyone reporting this problem is using Sonoma. That seems to explain it. Sonoma may be the buggiest Apple OS release of all time. I just don't understand why everyone insists on running it. It's like the more bugs that Apple is able to shove into any operating system, the more poplar it is. Yeah, sure people get on the internet and complain about the bugs, but they're still installing. It's only the installs that Apple cares about. The only thing you can count on is that macOS 15 is going to be even worse, and even more popular.
Data backup is the responsibility of the user. Apple isn't going to do it for you. There is always a chance that Apple is going to introduce some bug that permanently encrypts your hard drive. Granted the chance is very small, but it always greater than zero. If you weren't already backing up your data, I strongly recommend taking this opportunity to start.
FileVault Disk Encryption is being defaulted to ON with brand new set up of Mac Book Pro. There is no Recovery Key provided so if you forget your log in password and get locked out there is no way to change it. Asks for Recovery Key that was never provided.
Apple Tech Support said they never ever see the FileVault Disk Encyrption defaulted to ON with new setup. "Must be new on the new system upgrade" she said.
Another Update -
Upgraded to 15 (beta)
I was provided with a new filevault code - it is the now the current valid code.
Confirmed with:
sudo fdesetup validaterecovery
Thanks leroydouglas.
Yes, I was given a new key in the boot process when I updated to 14.4 and another when I updated to 14.4.1. When it booted, it first wanted me to login to iCloud. Well, I have a very strong password -- more than 20 characters -- and need to copy/paste from my password manager, so I skipped that. That's when it told me I had a new key that I was told to write down.
MacBook-Pro:~ % sudo fdesetup status
FileVault is On.
MacBook-Pro:~ % sudo fdesetup validaterecovery
Enter the current recovery key:
false
MacBook-Pro:~ % sudo fdesetup validaterecovery
Enter the current recovery key:
false
The first validate attempt used the key it gave me after updating to 14.4.1.
The second validate attempt used the key it gave e after updating to 14.4.
So, these two new keys are just bogus, I guess.
I do not recall a new file vault recovery key when I bought this new MacBook Pro. I copied everything over from my old iMac. May I assume that it used my old vault key from that machine? If so, I will have to spend some time trying to find that key.
Or, did I read the documentation correctly that I can turn off File Vault with just my password? And then turn it on later when the disk has been decrypted and turn it on again?
I do want File Vault on -- but I want it working.
sxbsxb wrote:
The first validate attempt used the key it gave me after updating to 14.4.1.
The second validate attempt used the key it gave e after updating to 14.4.
So, these two new keys are just bogus, I guess.
I would have expected the 14.4.1 Recovery Key issued to you today to validate. Is it possible you mis-typed it? (It's easy to do given the Key's complexity and the fact that your input is hidden from view as you type.)
Relatedly, I don't believe your iMac Recovery Key would have migrated to your new system.
Thanks everyone. However....
I turned File Vault off. I never noticed a decryption status bar. I left the machine overnight and turned File Vault on this morning. I opted to avoid iCloud and had it generate a new key. When I clicked Continue it said it was calculating how long it would take. Then, within 30 seconds it said it was done. NOT POSSIBLE. I am using 333 GB out of 494 GB capacity.
MacBook-Pro:~ % sudo fdesetup status
Password:
FileVault is On.
MacBook-Pro:~ % sudo fdesetup validaterecovery
Enter the current recovery key:
true
MacBook-Pro:~ % diskutil cs list
No CoreStorage logical volume groups found
MacBook-Pro:~ % sudo fdesetup status -verbose -extended
fdesetup: device path = /
FileVault is On.
Volume is APFS. (FileVault Enabled)
So, what is going on? Is there a place that one can skip directories, devices, file systems from File Vault encryption? I don't want that to be the case.
Activity monitor show no disk activity.
Just in case anyone can interpret some Linux-type info here is my disk usage:
MacBook-Pro:~ % df -h
Filesystem Size Used Avail Capacity iused ifree %iused Mounted on
/dev/disk3s1s1 460Gi 9.5Gi 143Gi 7% 404k 1.5G 0% /
devfs 212Ki 212Ki 0Bi 100% 732 0 100% /dev
/dev/disk3s6 460Gi 20Ki 143Gi 1% 0 1.5G 0% /System/Volumes/VM
/dev/disk3s2 460Gi 5.8Gi 143Gi 4% 1.2k 1.5G 0% /System/Volumes/Preboot
/dev/disk3s4 460Gi 33Mi 143Gi 1% 52 1.5G 0% /System/Volumes/Update
/dev/disk1s2 500Mi 6.0Mi 480Mi 2% 1 4.9M 0% /System/Volumes/xarts
/dev/disk1s1 500Mi 6.1Mi 480Mi 2% 33 4.9M 0% /System/Volumes/iSCPreboot
/dev/disk1s3 500Mi 2.8Mi 480Mi 1% 93 4.9M 0% /System/Volumes/Hardware
/dev/disk3s5 460Gi 301Gi 143Gi 68% 2.4M 1.5G 0% /System/Volumes/Data
map auto_home 0Bi 0Bi 0Bi 100% 0 0 - /System/Volumes/Data/home
/dev/disk5s1 16Gi 16Gi 460Mi 98% 521k 4.7M 10% /Library/Developer/CoreSimulator/Volumes/iOS_21E213
/dev/disk7s1 16Gi 15Gi 471Mi 98% 498k 4.8M 9% /Library/Developer/CoreSimulator/Volumes/iOS_21A342
/dev/disk9s1 16Gi 16Gi 467Mi 98% 507k 4.8M 10% /Library/Developer/CoreSimulator/Volumes/iOS_21C62
Why is macOS update creating a new file vault recovery key?