How is PRK generated/derived and what is being sent to Apple's servers if I choose "use this iCloud account to unlock and reset your password…" during FileVault setup? I wasn't able to find this in FileVault technical whitepaper. Is it just yet another DEK (Data Encryption Key)?
ICloud – FileVault personal recovery key
apple-idfilevaulticloudrecovery
Related Solutions
After a bit of messing about, it turns out that there is a better compromise which doesn't seem to be clearly documented anywhere obvious, so I thought I'd share it here. I don't believe this is a duplicate but I'm happy to see this question closed if I've missed something.
The cost of the solution (which may be unacceptable to some) is that you need to sacrifice about 14G of your drive to a honeypot partition. The steps I took are:
Use Disk Utility to resize your boot partition to create at least 14.3G of free space at the end of the drive. If you've already enabled FileVault, I believe this means you're going to have to turn it off and wait for it to finish decrypting first.
Create an empty, Mac OS Extended, Journalled partition at the end of your drive filling the free space.
To make things look a bit more convincing, give your new partition a name that's more plausible than Macintosh HD (2) - I name mine after my host name.
Restart your computer and launch into recovery mode by holding down Cmd-R as the system boots.
Select reinstall OS from the recovery menu, and follow through with the install. Somewhere along the line you will get the option to select where to install the OS. You want to put it on the new partition, obviously. It should be just big enough to let you install Lion. If it isn't you're going to have to drop back out to the main recovery menu, fire up Disk Utility and resize the partitions again. This is a bit of crapshoot because you don't end up with as much free space as the specified size of the partition but you'll get there in the end.
Complete the installation of your new copy of Lion. You want to set this up as a honeypot, so:
- Enable automatic login that logs into a non-administrative account with the same username as you use on your main partition (for added plausibility)
- Make sure your admin account has a decent password to make it hard for the thief to mess with your tracking software if he finds it
- Don't hook anything up to iCloud - I'm assuming you're going to be using an alternative service like Undercover, Prey or LoJack to aid recovery, so it's just more potential exposure and best avoided.
- Install your tracking software of choice on the honeypot partition. I went with Undercover in the end because it's a one-off cost and Prey is written in bash
<shudder>
. Prevent corestoraged from trying to mount encrypted partitions on startup, thus blowing your cover:
sudo mkdir -p /System/Library/LaunchDaemons.Disabled sudo mv /System/Library/LaunchDaemons/com.apple.corestorage.corestoraged.plist /System/Library/LaunchDaemons.Disabled/com.apple.corestorage.corestoraged.plist
(A bit of a hack, but it's only a honeypot. Hat tip to the contributors here )
- Reboot your system. You'll need to hold down alt/opt as the system boots to bring up the boot menu. Select your original main partition to boot into your main system.
- (Re)Enable FileVault for this partition and allow it to complete.
- Install your tracking software on this partition as well (this works fine for Undercover, which identifies machines by serial number of MAC address, so it doesn't care which partition you boot into)
- Set a firmware password. If you're on a pre-2011 mac this is only a token gesture, but I suppose every little helps. If you have a newer mac, this is a serious security measure, as the only options for circumventing it AFAIK are taking it to Apple or physically replacing a chip on the motherboard.
So now, if you power off your mac and boot it from cold, it will boot into the honeypot partition without even asking for a password. To an unsophisticated thief, it will look like they've got access to your machine just by rebooting it. There's a fighting chance that your tracking software will have a chance to file a report before the thief realises that something isn't quite right.
When you reboot your machine, you will have to remember to hold down the alt/option key to get into your proper system, at which point you will be prompted for a password to decrypt it. Assuming that you have the appropriate locking settings enabled for sensible security, your machine is tolerably secure against someone getting hold of sensitive private data.
If you have a recent mac with proper firmware protection, the thief will have an exceptionally difficult time using anything other than the honeypot partition, and will struggle to do anything particularly useful even with that, since he has no administrative rights. With any luck, by the time he's finished getting frustrated with it the police will already be knocking at his door :-)
According to Apple's [documentation on Filevault 2] (https://support.apple.com/en-us/HT4790) (emphasis added by me)
Changing your recovery key
In the Security & Privacy system preference, under the FileVault tab, click "Turn Off FileVault" to disable FileVault. After FileVault is off, FileVault will begin to decrypt your drive. Once decryption is complete, you can click the "Turn On FileVault" button. Doing this allows you to enable unlock-capable users. You're also provided with a new recovery key and have the option of sending this new key to Apple.
The old key sent to Apple will not be able to unlock your newly-encrypted disk
. If you need to retrieve your recovery key from Apple, only the new one will be retrieved based on the Serial Number and Record Number displayed in the login window.
I think that this might be your answer.
Related Question
- MacOS – FileVault Encryption Bypass
- ICloud – Which FileVault 2 recovery option is more secure – storing the recovery key in iCloud, or saving it somewhere yourself
- MacOS – Convert between FileVault 2 and Disk Utility encryption
- ICloud – FileVault Encryption Issues On High Sierra (APFS)
- MacOS – How to cold-boot a mac with FileVault enabled without physical access to the mac
- MacOS Sierra: I forgot the password but have the SSD’s Filevault recovery key. Can I reset the password
- ICloud – How to check for and remove FileVault2 iCloud recovery key
Best Answer
The personal recovery key is read from /dev/random and base32 encoded afterwards:
Source: Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption, page 9