Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How do you know it's "by design"? By default macOS was always using this encryption scheme, but there was always possibility to have an optional FDE. Now this is broken and I can't even manage to get macOS installed when any encrypted partition is present since it's also cause installer to fail.

I obviously find it being absolutely terrible "design" decision since there no way on earth anyone can count disk encryption key that is unlockable by user password or faceid secure.

PS: If someone have any idea how having separate boot password can be hacked aroud I'll really appreciate the advice.



Apple Silicon Macs use per-file encryption tied to the credentials: https://support.apple.com/en-gb/guide/security/secf6276da8a/...

Was carried over from iOS.

A way to bypass it _should_ be possible, but will entail having the System volume of the volume group to have different properties than the Data part.

Otherwise the OS will fail to load. (on Apple Silicon Macs, macOS is fully booted already when you input the password, so if you encrypt macOS...)

On older Macs, a Preboot UEFI application application prompts you for the password prior to booting.

What you can do as a workaround:

Create a second account which you'll only use to unlock the drive and then run sudo fdesetup add -usertoadd unlockUser and then sudo fdesetup remove -user PrimaryUser. That'll give the rights to unlock the drive only to that unlock user.

You can also use sudo fdesetup removerecovery -personal to destroy the ability of the recovery key to unlock the drive.


Does this mean that every user account has their own data volume or that every user account has their home folder encrypted on a per-file basis? Or neither?

What is the privacy implications of two users (both with administrator accounts) sharing an Apple Silicon Mac?


One data volume per OS install.

Both users have access to all the data in that case. It got carried over from iOS which didn't have multi-user support.

(and this is by-design, protection granularity is the volume)


Thank you very much. I'll try to setup it using additional user as you explained.

Is it possible to make sure that encryption key only available using this "unlock" user passphrase?


You can use sudo fdesetup list -verbose which tells you which users have their password attached as an unlock token for a given volume.


Why is that so important? Your disk encryption key is certainly stored in memory for the duration of your session (which on Macs might as well be forever since they don’t need to shutdown), so anyone with your user password can gain access either way.


It is important because M1 is iOS-derived hardware and unlikely to keep disk encryption keys in memory that you or anyone can freely dump. And hardware attacks against TPM are both costly and hard to perform.

Also in case of travel or emergency it's much easier to just power it off. At the same time there is tons of ways how someone can steal your day-to-day lock screen password.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: