The last two macOS updates, to 14.4 and 14.4.1, give me a screen that says the File Vault Recovery Key has been changed. That is a rather big deal, IMO. What is going on? Anyone else see this?
MacBook Pro 16″, macOS 14.4
What I just found out is that while I got two panels (after two logins with an account without iCloud) warning me that the recovery key had changed, it actually hadn't!
I tried "sudo fdesetup validaterecovery" on both new ones and the original one, and the 'new' ones returrned false while the original one returned true (phew!)
So, definitely a bug?
sxbsxb wrote:
The last two macOS updates, to 14.4 and 14.4.1, give me a screen that says the File Vault Recovery Key has been changed. That is a rather big deal, IMO. What is going on? Anyone else see this?
Does that mean you were given a new key...?
Verify FileVault status from Terminal.app copy and paste:
fdesetup status
verify if FileVault Recovery Key current, copy and paste;
sudo fdesetup validaterecovery
“Enter the current recovery key:” type or paste in your Recovery Key and press ENTER\Return key to continue
(note: your psswd will not echo on screen type it in anyway, use the enter\return key to proceed.)
You will see:
True if the Recovery Key the current key;
False if no
You can turn off FIlevault from System Settings...
you can read more—
If you encrypted your Mac’s boot disk with FileVault 2 —this prevents you from using your Apple ID to reset your password
(since the password is used in FileVault’s encryption). Read this Apple support document for more information about FileVault. ref: Protect data on your Mac with FileVault - Apple Support
macOS utilizes the macOS admin user account password for unlocking Filevault.
more on File Vault2— see HWTech
enter a password to unlock the disk”macin… - Apple Community
Thanks leroydouglas.
Yes, I was given a new key in the boot process when I updated to 14.4 and another when I updated to 14.4.1. When it booted, it first wanted me to login to iCloud. Well, I have a very strong password -- more than 20 characters -- and need to copy/paste from my password manager, so I skipped that. That's when it told me I had a new key that I was told to write down.
MacBook-Pro:~ % sudo fdesetup status
FileVault is On.
MacBook-Pro:~ % sudo fdesetup validaterecovery
Enter the current recovery key:
false
MacBook-Pro:~ % sudo fdesetup validaterecovery
Enter the current recovery key:
false
The first validate attempt used the key it gave me after updating to 14.4.1.
The second validate attempt used the key it gave e after updating to 14.4.
So, these two new keys are just bogus, I guess.
I do not recall a new file vault recovery key when I bought this new MacBook Pro. I copied everything over from my old iMac. May I assume that it used my old vault key from that machine? If so, I will have to spend some time trying to find that key.
Or, did I read the documentation correctly that I can turn off File Vault with just my password? And then turn it on later when the disk has been decrypted and turn it on again?
I do want File Vault on -- but I want it working.
sxbsxb wrote:
Or, did I read the documentation correctly that I can turn off File Vault with just my password? And then turn it on later when the disk has been decrypted and turn it on again?
I do want File Vault on -- but I want it working.
I would turn off FileVault while you are able.
After it completed the decryption and you want to continue using FileVault, you can enable it at that time. The process can take some time, let it run...you can use your mac as normal.
At that time I Suspect you have the option to receive a new FileVault pass key...
Then verify it is valid so you can proceed with confidence.
sxbsxb wrote:
The last two macOS updates, to 14.4 and 14.4.1, give me a screen that says the File Vault Recovery Key has been changed. That is a rather big deal, IMO. What is going on? Anyone else see this?
I haven't updated to 14.4.1 yet, but this occurred to me as well during the recent 14.4 update.
I wasn't frankly paying attention during the initial reboot after the update, and consequently can't recall the actual process; but at the point at which I realized that I was to be given a new FileVault Recovery Key, I opted, perhaps ill-advisedly, to force a system shutdown. The machine then rebooted normally and my existing, locally stored Recovery Key remains valid. So no harm done.
I've seen reports of this same issue on other forums, but unfortunately no advice on how to circumvent or suppress it, much less an explanation of its rationale (if there actually is any).
sxbsxb wrote:
The first validate attempt used the key it gave me after updating to 14.4.1.
The second validate attempt used the key it gave e after updating to 14.4.
So, these two new keys are just bogus, I guess.
I would have expected the 14.4.1 Recovery Key issued to you today to validate. Is it possible you mis-typed it? (It's easy to do given the Key's complexity and the fact that your input is hidden from view as you type.)
Relatedly, I don't believe your iMac Recovery Key would have migrated to your new system.
This happened on my M3 Max MacBook Pro 14 when updating to 14.4.1. First it asked me to sign in to iCloud, which I did not do, and then told me that my FileVault key had been updated.
I don't store any recovery information in iCloud. I proceeded to disable and reenable FileVault in order to get a new recovery key.
Maybe this is due to some sort of firmware update?
There’s a discussion of this same issue in the context of the 14.4 update here on Reddit.
I notice that one of the replies states: “There’s something off because when I try to validate recovery command with the new key it returns False, but if I use the old recovery key it returns True.” Which is consistent with sxbsxb's experience — but doesn't make obvious sense.
Thanks everyone. However....
I turned File Vault off. I never noticed a decryption status bar. I left the machine overnight and turned File Vault on this morning. I opted to avoid iCloud and had it generate a new key. When I clicked Continue it said it was calculating how long it would take. Then, within 30 seconds it said it was done. NOT POSSIBLE. I am using 333 GB out of 494 GB capacity.
MacBook-Pro:~ % sudo fdesetup status
Password:
FileVault is On.
MacBook-Pro:~ % sudo fdesetup validaterecovery
Enter the current recovery key:
true
MacBook-Pro:~ % diskutil cs list
No CoreStorage logical volume groups found
MacBook-Pro:~ % sudo fdesetup status -verbose -extended
fdesetup: device path = /
FileVault is On.
Volume is APFS. (FileVault Enabled)
So, what is going on? Is there a place that one can skip directories, devices, file systems from File Vault encryption? I don't want that to be the case.
Activity monitor show no disk activity.
Just in case anyone can interpret some Linux-type info here is my disk usage:
MacBook-Pro:~ % df -h
Filesystem Size Used Avail Capacity iused ifree %iused Mounted on
/dev/disk3s1s1 460Gi 9.5Gi 143Gi 7% 404k 1.5G 0% /
devfs 212Ki 212Ki 0Bi 100% 732 0 100% /dev
/dev/disk3s6 460Gi 20Ki 143Gi 1% 0 1.5G 0% /System/Volumes/VM
/dev/disk3s2 460Gi 5.8Gi 143Gi 4% 1.2k 1.5G 0% /System/Volumes/Preboot
/dev/disk3s4 460Gi 33Mi 143Gi 1% 52 1.5G 0% /System/Volumes/Update
/dev/disk1s2 500Mi 6.0Mi 480Mi 2% 1 4.9M 0% /System/Volumes/xarts
/dev/disk1s1 500Mi 6.1Mi 480Mi 2% 33 4.9M 0% /System/Volumes/iSCPreboot
/dev/disk1s3 500Mi 2.8Mi 480Mi 1% 93 4.9M 0% /System/Volumes/Hardware
/dev/disk3s5 460Gi 301Gi 143Gi 68% 2.4M 1.5G 0% /System/Volumes/Data
map auto_home 0Bi 0Bi 0Bi 100% 0 0 - /System/Volumes/Data/home
/dev/disk5s1 16Gi 16Gi 460Mi 98% 521k 4.7M 10% /Library/Developer/CoreSimulator/Volumes/iOS_21E213
/dev/disk7s1 16Gi 15Gi 471Mi 98% 498k 4.8M 9% /Library/Developer/CoreSimulator/Volumes/iOS_21A342
/dev/disk9s1 16Gi 16Gi 467Mi 98% 507k 4.8M 10% /Library/Developer/CoreSimulator/Volumes/iOS_21C62
sxbsxb wrote:
I turned File Vault off. I never noticed a decryption status bar. I left the machine overnight and turned File Vault on this morning. I opted to avoid iCloud and had it generate a new key. When I clicked Continue it said it was calculating how long it would take. Then, within 30 seconds it said it was done. NOT POSSIBLE. I am using 333 GB out of 494 GB capacity.
My less than fully informed understanding of the subject is that this is normal for silicon Macs like yours, which are always encrypted and have been from the get-go. Turning on FileVault provides additional password protection and generates the Recovery Key we’re discussing.
Some of the details can be found here (and I’m sure lots of other places):
https://eclecticlight.co/2023/03/31/why-you-should-enable-filevault/
Thank you @defcon 3 !
I was not aware of the encryption under the covers that is explained in that link you provided. My experience has been with old, Intel Macs.
I am now happy with my machine. Still puzzled with the bogus keys generated when updating. I am betting it's because Apple developers didn't test without iCloud as most of them would be using it.
This has happened to me too. Reading the reddit threads there was a convincing argument to “Erase all content and settings” and start again. Being on a new machine this wan’t much of a problem so i’ve done this and set-up FileVault again.
Would love an explanation from Apple? Seems like a huge problem to have new keys generated or at least the appearance of new keys generated because of an update.
What I just found out is that while I got two panels (after two logins with an account without iCloud) warning me that the recovery key had changed, it actually hadn't!
I tried "sudo fdesetup validaterecovery" on both new ones and the original one, and the 'new' ones returrned false while the original one returned true (phew!)
So, definitely a bug?
louisstormfront wrote:
Would love an explanation from Apple?
This is a user-to-user support forum. If there is any constant in the universe, it is that Apple is never going to explain any of this - not ever.
It sounds like everyone reporting this problem is using Sonoma. That seems to explain it. Sonoma may be the buggiest Apple OS release of all time. I just don't understand why everyone insists on running it. It's like the more bugs that Apple is able to shove into any operating system, the more poplar it is. Yeah, sure people get on the internet and complain about the bugs, but they're still installing. It's only the installs that Apple cares about. The only thing you can count on is that macOS 15 is going to be even worse, and even more popular.
Data backup is the responsibility of the user. Apple isn't going to do it for you. There is always a chance that Apple is going to introduce some bug that permanently encrypts your hard drive. Granted the chance is very small, but it always greater than zero. If you weren't already backing up your data, I strongly recommend taking this opportunity to start.
sxbsxb wrote:
Still puzzled with the bogus keys generated when updating. I am betting it's because Apple developers didn't test without iCloud as most of them would be using it.
The last paragraph of this article and the comments following it (especially those by the article's author) purport to provide context to what′s occurring.
It doesn′t, however, address the serious security issue that′s being created for those who unwittingly accept new FileVault Recovery Keys that aren′t in fact valid.
Another unresolved issue, of course, is the status of the Recovery Keys generated for those who opt to have their Recovery Keys escrowed to iCloud and who have no way to validate their keys, even if they wanted to do so, since they never see them.
DEFCON 3 wrote:
The last paragraph of this article and the comments following it (especially those by the article's author) purport to provide context to what′s occurring.
Don't get your information from social media influencers.
Another unresolved issue, of course, is the status of the Recovery Keys generated for those who opt to have their Recovery Keys escrowed to iCloud and who have no way to validate their keys, even if they wanted to do so, since they never see them.
It is important to remember that the FileVault recovery keys are just that - for last-ditch recovery. Your account password will continue to unlock FileVault. I recommend maintaining an additional Administrator account that you don't screw around with as a fallback.
I've been using FileVault for many years and I've never needed to use a recovery key. People should be realistic. Anyone who manages to forget their login password probably isn't going to be able to find their recovery key either. The recovery key is a "warm fuzzy" that Apple really has to provide because people would freak out otherwise. But you'll never need it or use it.
Why is macOS update creating a new file vault recovery key?
