FileVault 2 - Encrypted Question

ghsNick

macrumors 68030
Original poster
May 25, 2010
2,754
585
Hi All -

I just encrypted my iMac with FileVault 2 and I noticed something that looked weird. I never noticed my old computer saying "A recovery key has been set."

Can anyone else confirm this is normal with a screenshot or theirs?

Thanks!
 

Attachments

simonsi

macrumors 601
Jan 3, 2014
4,850
734
Auckland
Normal as on mine, I can't remember if that was by selection in the FV setup process though.

You don't get a screenshot though, I'm not bothered proving it to you...
 

MRxROBOT

macrumors 6502
Apr 14, 2016
488
422
1011100110
Hi All -

I just encrypted my iMac with FileVault 2 and I noticed something that looked weird. I never noticed my old computer saying "A recovery key has been set."

Can anyone else confirm this is normal with a screenshot or theirs?

Thanks!
It is normal. Judging from your screenshot, you elected to allow your iCloud account to unlock your disk.

 

ghsNick

macrumors 68030
Original poster
May 25, 2010
2,754
585
Normal as on mine, I can't remember if that was by selection in the FV setup process though.

You don't get a screenshot though, I'm not bothered proving it to you...
C'mon lol. Yeah, I don't remember the last line about the recovery key on my old iMac but as long as that's normal.

Looking at the screenshot above it says unlock with iCloud or get a recovery key. Can you see why I'm confused? Because I chose iCloud but it also says a recovery key has been set.
 
Last edited:

MRxROBOT

macrumors 6502
Apr 14, 2016
488
422
1011100110
C'mon lol. Yeah, I don't remember the last line about the recovery key on my old iMac but as long as that's normal.

Looking at the screenshot above it says unlock with iCloud or get a recovery key. Can you see why I'm confused? Because I chose iCloud but it also says a recovery key has been set.
If you don't want recovery access, it's best to boot into disk utility and encrypt from there.
 

ghsNick

macrumors 68030
Original poster
May 25, 2010
2,754
585
If you don't want recovery access, it's best to boot into disk utility and encrypt from there.
I want Recovery Access - I'm just confused. Is it normal to say Recovery Key set if I chose iCloud as my Recover method?
 

NoBoMac

Moderator
Staff member
Jul 1, 2014
2,891
1,216
Have not turned on FileVault on a computer since 2012 (13?), so, have not tried the iCloud method.

But it appears that, yes, iCloud recovery is on. Says can recover via that route, per the dialog.

Think the dialog box is a little misleading. What is going on, from what I've seen on Apple's support site, there still is a recovery key that is generated for the drive, just that it is stored in iCloud. So, instead of you manually entering the recovery key, FileVault sign-on process extracts it from iCloud.

In the old days, worked similar in that you had the option for Apple to store the recovery key for you, but, you provided three security questions, that Apple said they only stored the questions for, not the replies. They then took the answers and melded them together to create a key to encrypt the recovery key. If you forgot the EXACT answers when you tried to recover, one was out of luck on getting that recovery key back.

This method is a little less secure, imo (if someone has access to your machine and knows your iCloud password [or provide a subpoena to Apple]), but easier for people to make their device a fair bit more secure (read: someone steals your device, this secures your data) and recover when something goes wrong.

ADD: if some concern, can always decrypt the drive and re-encrypt it, to doubly check that you did select iCloud option.
 
  • Like
Reactions: ghsNick

Weaselboy

Moderator
Staff member
Jan 23, 2005
30,718
10,504
California
I want Recovery Access - I'm just confused. Is it normal to say Recovery Key set if I chose iCloud as my Recover method?
Just as another data point, I intentionally told it NOT to store the recovery key on iCloud, and you can see how mine looks different than yours.

It appears both methods are creating a recovery key, just yours is stored in iCloud and mine is not.

Screen Shot 2016-05-24 at 9.23.36 AM.png
 
  • Like
Reactions: ghsNick

ghsNick

macrumors 68030
Original poster
May 25, 2010
2,754
585
Have not turned on FileVault on a computer since 2012 (13?), so, have not tried the iCloud method.

But it appears that, yes, iCloud recovery is on. Says can recover via that route, per the dialog.

Think the dialog box is a little misleading. What is going on, from what I've seen on Apple's support site, there still is a recovery key that is generated for the drive, just that it is stored in iCloud. So, instead of you manually entering the recovery key, FileVault sign-on process extracts it from iCloud.

In the old days, worked similar in that you had the option for Apple to store the recovery key for you, but, you provided three security questions, that Apple said they only stored the questions for, not the replies. They then took the answers and melded them together to create a key to encrypt the recovery key. If you forgot the EXACT answers when you tried to recover, one was out of luck on getting that recovery key back.

This method is a little less secure, imo (if someone has access to your machine and knows your iCloud password [or provide a subpoena to Apple]), but easier for people to make their device a fair bit more secure (read: someone steals your device, this secures your data) and recover when something goes wrong.

ADD: if some concern, can always decrypt the drive and re-encrypt it, to doubly check that you did select iCloud option.
Just as another data point, I intentionally told it NOT to store the recovery key on iCloud, and you can see how mine looks different than yours.

It appears both methods are creating a recovery key, just yours is stored in iCloud and mine is not.

View attachment 632763
Thanks guys - that makes sense that a recovery code has been created but it's stored in iCloud and can only be unlocked win that password.

I encrypted my old iMac and never remembered seeing that last line mentioning a recovery key has been set. That's why I was trying to see if anyone else who used iCloud also had that listed.

Thanks
 
  • Like
Reactions: Weaselboy

bookemdano

macrumors 65816
Jul 29, 2011
1,391
770
Thanks guys - that makes sense that a recovery code has been created but it's stored in iCloud and can only be unlocked win that password.

I encrypted my old iMac and never remembered seeing that last line mentioning a recovery key has been set. That's why I was trying to see if anyone else who used iCloud also had that listed.

Thanks
Well not to throw hot water on this theory but on my 2011 MBA running 10.11.5 I elected to store my recovery key in iCloud but my FileVault tab in Security and Privacy Preferences does not show the "A recovery key has been set." verbiage (see screenshot). So I'm not sure what causes that line to show up.
 

Attachments

  • Like
Reactions: ghsNick

Erdbeertorte

Suspended
May 20, 2015
1,180
500
@bookemdano

Do you have Two Factor Athentification enabled? And the iCloud Keychain? Maybe it has something to do with one of those.

Could be the 2FA had to enabled before turning on FileVault. Someone mentioned the key was the answer to the security questions what you don't need anymore with enabled 2FA. So it might generate another key instead. But I don't know.

I have 2FA and iCloud Keychain enabled and see that line on my Late 2011 MBP and on my Late 2015 iMac. Can't remember if it had been there before because FileVault was disabled for a while and and I re-enabled it a few days ago.


Screen Shot 2016-05-25 at 22.58.27.png
 
  • Like
Reactions: ghsNick

ghsNick

macrumors 68030
Original poster
May 25, 2010
2,754
585
@bookemdano

Do you have Two Factor Athentification enabled? And the iCloud Keychain? Maybe it has something to do with one of those.

Could be the 2FA had to enabled before turning on FileVault. Someone mentioned the key was the answer to the security questions what you don't need anymore with enabled 2FA. So it might generate another key instead. But I don't know.

I have 2FA and iCloud Keychain enabled and see that line on my Late 2011 MBP and on my Late 2015 iMac. Can't remember if it had been there before because FileVault was disabled for a while and and I re-enabled it a few days ago.


View attachment 632947
On my old computer I didn't have 2FA enabled and I didn't see the recovery key line.

On my new iMac 2FA was enabled (actually, 2 Step Verification) and it looks like yours.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.