The last two macOS updates, to 14.4 and 14.4.1, give me a screen that says the File Vault Recovery Key has been changed. That is a rather big deal, IMO. What is going on? Anyone else see this?
MacBook Pro 16″, macOS 14.4
What I just found out is that while I got two panels (after two logins with an account without iCloud) warning me that the recovery key had changed, it actually hadn't!
I tried "sudo fdesetup validaterecovery" on both new ones and the original one, and the 'new' ones returrned false while the original one returned true (phew!)
So, definitely a bug?
Thank you @defcon 3 !
I was not aware of the encryption under the covers that is explained in that link you provided. My experience has been with old, Intel Macs.
I am now happy with my machine. Still puzzled with the bogus keys generated when updating. I am betting it's because Apple developers didn't test without iCloud as most of them would be using it.
Whilst I agree with you wholeheartedly on not sourcing one's information from 'social media influencers' and other such dubious non-entities, Dr Howard Oakley (the author and creator of eclecticlight.co, the blog in question) is in fact a highly regarded author and developer of Mac software. I'm sure you had not meant to infer otherwise. His web site is a veritable encyclopaedic cornucopia of information on all things macOS related. Btw, I also agree with you on the absolute dog's dinner that is Sonoma.
Re: “… Anyone who manages to forget their login password probably isn't going to be able to find their recovery key either … “
True words!
Also, If the user opts to save the File Vault Recovery Key to iCloud, it’s not even presented to them on-screen to manually record.
AndyXII wrote:
I'm sure you had not meant to infer otherwise.
Don't put words into other people's mouths, especially when they just said the exact opposite.
His web site is a veritable encyclopaedic cornucopia of information on all things macOS related.
Social media can be more than just those well-known social media platforms, it can be traditional web sites, ancient message systems, blogs, and even software. It all boils down to believing what someone on the internet tells you. Sometimes they're right. Sometimes they have an agenda. If you can't tell the difference, then you're a follower. It doesn't matter if you follow a politician, a party, a preacher, or some guy on the Internet. You're still being led around on a string the same way.
Sometimes they're right. Sometimes they have an agenda.
I assume your agenda would be the promotion of your software product.
Dr. Oakley's blog provides useful information (admittedly for those with a decent grasp on the subject) in a courteous fashion. I'll leave preaching to you.
AndyXII wrote:
I assume your agenda would be the promotion of your software product.
Not at all. For one thing, the Apple Support Community Terms of Use forbid me from doing that. For another, EtreCheck's revenue peaked long ago. It is rapidly becoming more trouble than it's worth.
Dr. Oakley's blog provides useful information (admittedly for those with a decent grasp on the subject) in a courteous fashion. I'll leave preaching to you.
A fascinating perspective! There is definitely some useful information there. When I want the full path to the awful Apple "lsregister" tool, I tend to go to that web site to get it instead on even looking in my own source code.
But I do have a decent grasp on the subject, so I can tell the difference between convenient information like the path to a system tool, which can be easily verified, and speculation, misinformation, and misunderstandings that are all woven within in the same post.
It's particularly fascinating how you would interpret that as "courteous". It's really just aligning a message with other social media influencers in the same space. They know what people want to hear and feed that to them. Then, a non-influencer comes along and says something contradictory, based on facts that would require effort to verify. That message of discord is treated as "rudeness". I have contradicted not some social media influencer, but your own deeply-held beliefs. You take offence, and double-down faith in your source of misinformation.
It really is close to "preaching". There is even a term for it - "preaching to the choir". But even in real-life congregations, people are aware of the dangers of having a savvy, manipulative paster who uses their position to craft a conformable message designed more to secure their own position instead of focusing on those parts of the gospel that people need to hear. It's pretty easy to see when people in other churches are being fooled. The trick is to be able to apply that critical analysis to one's own group.
So glad I found this thread by accident. I have accepted 2 filevault key updates in the past few weeks and thought the most recent of those keys was the new, working one.
Turns out neither of them work. This is a very concerning bug.
Re: “ … When I learned they were invalid, I turned off, and back on the file vault to key a new key …”
👍
Fortunately, w/ T2 Security Processors, and “always encrypted” disks, this process only takes a few seconds …
… vice the anxiety-producing decrypt & re-encrypt process required of of the earlier T1 models.
In my case, the message 'FileVault recovery has been updated...' only appeared on my mac book pro M3 on April 7, 2024, nearly two weeks after I updated my system to macOS 14.4.1 on March 25, 2024.
A verification of the 'new FileVault recovery key' with sudo fdesetup validaterecovery produces a "false"
Any recommendation what to do now?
When validating, did you enter the recovery key EXACTLY as it was displayed …
… to include any “punctuation?”
Example: My own key contains 29 “characters”:
Specifically, six (6) groups of four (4) alpha-numeric characters — with a single “hyphen” between each of the six groups.
I updated my second MacBook Pro with M2 to macOS 14.5 but received no message about a change to my FileVault Recovery Key. Why would the FileVault Recovery Key change on my MacBook Pro with M3 after the upgrade to 14.5, but not on the MacBook Pro with M2?
evoolb wrote:
Why would the FileVault Recovery Key change on my MacBook Pro with M3 after the upgrade to 14.5, but not on the MacBook Pro with M2?
For that matter, why would it change on either machine? There's no obvious explanation, making it appear to happen almost at random.
(Whether it's random or not, the posts here and elsewhere seem to suggest it tends to be persistent, often affecting the same systems across Sonoma upgrades. The 14.5 upgrade marks the third consecutive time for my MacBook Pro M1.)
Interesting that the replacement key you received for your M3 was actually valid, which is a new wrinkle. Thanks for the update.
Re: “… So now Apple is putting the recovery key front and centre and making people deal with, and by extension, be aware of it … “
It might be helpful if Apple also employed the same “awareness technique” already used when setting/changing AppleID Recovery Keys.
i.e. Force the user to successfully re-enter the code on a separate setup screen before continuing.
This method might help provide a bit of “gravitas” to the significance of the info.
So you DID positively validate - using fdesetup - you DO know you correct File Vault Recovery Key … ?
You’re right, this could indeed be hazardous.
Concur. 👍
Why is macOS update creating a new file vault recovery key?
