macOS Monterey Allows You to Erase a Mac Without Needing to Reinstall the Operating System

[theorist9]

They don’t have to be in the SSV to be loaded in the kernel. According to this pages, 3rd party KEXTs stored in `/Library/Extensions`, but 1st party extensions are stored in `/System/Library/Extensions`.

Extensions, Big Sur and M1 Macs

How to use kernel extensions, and their replacement system extensions, on Macs running Big Sur, including M1 Macs.

eclecticlight.co

Thanks, that's a nice bit of clarification. If I read it right, it's saying that, starting with Big Sur, no third-party kexts are stored in the SSV. Specifically, they're saying there are three types of extensions, which are handled as follows:

1) First-party kernel extensions (kexts), where first-party means "Apple". These are stored in /System/Library/Extensions, which is in the SSV.

2) Third-party kernel extensions (kexts), where third-party means it comes from a non-Apple developer. These are stored in /Library/StagedExtensions, which is not in the SSV.

3) Third-party system extensions, which the app keeps in its own folder, and are thus likewise not stored in the SSV.

 

[OLC522]

Why not? If every byte is encrypted, slack (if any) is also encrypted. Furthermore, nobody will be able t o tell what data is part of a file and what isn’t, since there will be no readable directory.

The system partition remains intact

 

[MacBH928]

You cannot read encrypted data without the encryption key. You seem to have trouble understanding this from previous threads. You should read up about it a little bit, it’s an interesting topic.

Again, unless there is something Apple has implemented incorrectly, ie, the encryption keys are not destroyed properly or in a secure manner, it’s not going to be possible to read the disk in any meaningful sense. Encrypting something means just that. If the key to decrypt it no longer exists, then it cannot be read.

It is in fact far more secure then other methods including reformatting and multiple pass 0 writes. Both of those it remains possible in some case to recover data.

Trust me I have been reading around this topic for sometime. There also seems to be misconception even on your side.

AFAIK , when you encrypt your drive with a password a secret "code key" is stored on the drive that unlocks the drive once given the password. Once you reset the encryption, in this Apple's case, what Apple does is delete the "code key" which means even with a password its not going to open.

This is akin to a door that can only be opened from the other side with a guard behind it, if you tell him the password he will open the door. The guard died in the room, the password is no use any more.

I am just waiting for security researchers to confirm that everything is fine and dandy.

Huh?

No, you can't recover data from a wipe.

That's been something of a myth for quite a while.

Many many years ago, it was theoretically possible to recover some data from a hard drive that had been zeroed. Hard drive technology has changed significantly since then (and yes, I mean hard drive, that changed long before SSDs were ever a thing). It's still considered good practice to do a multiple-pass random data overwrite to wipe a hard drive, but it's really a bit of overkill to do more than one random-data passes on a hard drive built in the last decade or so, and even just zeroing it is good enough, there's just not enough shadow residual magnetism there on modern-ish hard drives.

And you're NOT going to recover data from a wiped (all bits set to 1) SSD.

Encrypted data on the other hand... It's hard, but throw enough computing resources at it for long enough and there's a decent chance of decryption, particularly since there's a decent chance that some bug in any encryption method that made the key weaker than it theoretically should have been. And in the somewhat distant but easily foreseeable future (early quantum computers are already a thing) it's going to be easier.

wiping hdd works, I heard it does not work on SSDs

 

[TriBruin]

Trust me I have been reading around this topic for sometime. There also seems to be misconception even on your side.

AFAIK , when you encrypt your drive with a password a secret "code key" is stored on the drive that unlocks the drive once given the password. Once you reset the encryption, in this Apple's case, what Apple does is delete the "code key" which means even with a password its not going to open.

This is akin to a door that can only be opened from the other side with a guard behind it, if you tell him the password he will open the door. The guard died in the room, the password is no use any more.

I am just waiting for security researchers to confirm that everything is fine and dandy.



wiping hdd works, I heard it does not work on SSDs

You may be reading, but you must not be reading the right material.

No keys are stored on the drive PERIOD. (At least for T2 or M1 machines, which is what we are talking about here.) All encryption/decryption is handled by the T2/M1 chip and the encryption keys are stored in the secure enclave, which only the T2/M1 chip has access to. This happens even if you do not turn on "Filevault" in the OS. (All turning on Filevault is adding a layer of authentication to the unlock the keys in the secure enclave.)

To erase the drive, all the OS does is tell the secure enclave to permanently destroy encryption key. Thus making the drive unreadable.

Here is a comparison.

You have a secure front door to your house. This is only entrance and can not be bypassed or broken in to. The only way to enter the door is to use a single key to unlock it.

In the simplest solution, you leave that key under the mat in front of the door. Anyone can come up and use the key to unlock the door. Not very secure, but at least someone can come to the back of the house and break in. This is equivalent of a current Mac without Filevault turn on. Anyone can turn the computer on get to the O/S or use Target Disk Mode (in T2 computers). Yes, there are security features of the O/S (like passwords), but once you turn on the computer, the drive is unlocked.

To be more secure, you decide to put the house key in a lock box with a keypad. To unlock the key, you must first unlock the box. You can also give other access to the key box, but a bad actor still can't access the key. This is what turning on Filevault in macOS adds. The drive encryption key is now protected by a password. You can't unlock the drive without the key and you can't unlock the key without your password.

 

[Khedron]

Joking or just looking at it from a glib and narrow POV?

This is useful for anyone who cares about their privacy especially if: sell it, put it in someone else’s hands for an extended period, want/need to begin from a FR.

It’s a serious point that the majority of people have misunderstood. I never implied there weren’t legal uses.

If you have files on your computer that could put you in jail for decades don’t you think you’d naturally care even more about privacy than someone lending a device and not wanting embarrassing photos or whatever seen?

In the past removing data/evidence would require physically destroying your hard drives. Now deleting a couple of keys achieves the same result in milliseconds.

 

[justinhill]

What if the user gives an app permission to load kernel extensions? Some of the apps I use continue to require them (as these are not exotic apps, I would consider this part of normal operation). Aren't kexts installed into the OS kernel and thus into the Signed System Volume? And, if so, doesn't that mean this feature will not restore the OS to its factory state?

Sounds like your prediction is that, if kexts are installed into the SSV, this feature won't work.

Deployment Reference for Mac

This content has moved.

support.apple.com

Kexts don't _need_ to be installed in the SSV to load. Check out /Library/Extensions. This directory contains user extensions and is not protected by SIP. Kexts are "kernel extensions" and can be loaded in at runtime using the kextload command. Apple is currently in the process of getting developers to migrate to a different framework, system extensions, which are more safe and secure. In fact, certain categories of kernel extensions that have direct replacements as system extensions are outright prohibited from loading under Monterey.

My thought is that this feature is enabled by signing the volume, which allows the system to verify that no changes have been made to it, thereby allowing Apple to trash the data partition and be confident that you're starting fresh. Almost certainly they verify the signature as part of the "erase and reset settings" process. If you disable SIP and make changes to the system volume, you break the signature, and probably break this feature.

edit: Yup, you got it, I just didn't catch up before responding.

 

[4487549]

This and FaceZoom seem particularly suited for Apple IT and corporate environments in general.

 

[MacBH928]

You may be reading, but you must not be reading the right material.

No keys are stored on the drive PERIOD. (At least for T2 or M1 machines, which is what we are talking about here.) All encryption/decryption is handled by the T2/M1 chip and the encryption keys are stored in the secure enclave, which only the T2/M1 chip has access to. This happens even if you do not turn on "Filevault" in the OS. (All turning on Filevault is adding a layer of authentication to the unlock the keys in the secure enclave.)

To erase the drive, all the OS does is tell the secure enclave to permanently destroy encryption key. Thus making the drive unreadable.

Here is a comparison.

You have a secure front door to your house. This is only entrance and can not be bypassed or broken in to. The only way to enter the door is to use a single key to unlock it.

In the simplest solution, you leave that key under the mat in front of the door. Anyone can come up and use the key to unlock the door. Not very secure, but at least someone can come to the back of the house and break in. This is equivalent of a current Mac without Filevault turn on. Anyone can turn the computer on get to the O/S or use Target Disk Mode (in T2 computers). Yes, there are security features of the O/S (like passwords), but once you turn on the computer, the drive is unlocked.

To be more secure, you decide to put the house key in a lock box with a keypad. To unlock the key, you must first unlock the box. You can also give other access to the key box, but a bad actor still can't access the key. This is what turning on Filevault in macOS adds. The drive encryption key is now protected by a password. You can't unlock the drive without the key and you can't unlock the key without your password.

In the drive or in the enclave, the idea is that its stored somehow and once its gone its gone.

So your telling me file vault does not actually encrypt the drive? it just turns on this extra layer(door?) of security? I heard encrypt a drive will take a very long time.

here is another question, if the key is store in the enclave this means there is storage there, what happens if that goes bad as we know memory goes bad or dies?

What happens if you backup you drive to an extral drive, does it backup the keys too ?

 

[cupcakes2000]

So your telling me file vault does not actually encrypt the drive? it just turns on this extra layer(door?) of security? I heard encrypt a drive will take a very long time.

The drive is hardware encrypted by default, like on iOS. That’s part of what the t2/m1 chip does.
In layman’s terms, FileVault disables the ability for the system to gain access to the files until you tell it too.
Without FileVault turned on, the drive is still encrypted (on machines with t2/m1), but the system has full access upon boot.

An example- with FoleVault on you can’t reboot via a remote access session (without special ‘one time’ terminal tricks) and regain access.
With FileVault off you can.

 

[cupcakes2000]

In the drive or in the enclave, the idea is that its stored somehow and once its gone its gone.

So your telling me file vault does not actually encrypt the drive? it just turns on this extra layer(door?) of security? I heard encrypt a drive will take a very long time.

here is another question, if the key is store in the enclave this means there is storage there, what happens if that goes bad as we know memory goes bad or dies?

What happens if you backup you drive to an extral drive, does it backup the keys too ?

Secure Enclave

The Secure Enclave is a dedicated secure subsystem in the latest versions of iPhone, iPad, Mac, Apple TV, Apple Watch, Apple Vision Pro and HomePod.

support.apple.com

 

[TriBruin]

In the drive or in the enclave, the idea is that its stored somehow and once its gone its gone.

In the secure enclave.

So your telling me file vault does not actually encrypt the drive? it just turns on this extra layer(door?) of security? I heard encrypt a drive will take a very long time.

That used to be the case. But, ever since the T2 chip was introduced, turning on file vault just adds wraps additional security around the key. (Think house key inside a lockbox.) Try it yourself. On a brand new OS installation on a T2 or M1 Mac, by default Filevault is turned off. Turn it on. macOS will report fully encrypt immediately. (On pre T2 macs, the computer had to manually encrypt the drive, which did take a long time.)

here is another question, if the key is store in the enclave this means there is storage there, what happens if that goes bad as we know memory goes bad or dies?

You lose your data. Yes this is remote possibility. But it more likely you are have an SSD die than the Secure Enclave. (Remember Apple has been using a Secure Enclave in tens of millions of iPhones and iPads over the past several years. I have never heard of issues with the secure enclave. Doesn't mean there aren't cases, just a very low number.

What happens if you backup you drive to an extral drive, does it backup the keys too ?

No, remember data read from the drive is decrypted before it gets to the O/S. The O/S is then sending the data to your backup. That is why you should consider encrypting your backups. The keys NEVER leave the computer.

 

[MacBH928]

The drive is hardware encrypted by default, like on iOS. That’s part of what the t2/m1 chip does.
In layman’s terms, FileVault disables the ability for the system to gain access to the files until you tell it too.
Without FileVault turned on, the drive is still encrypted (on machines with t2/m1), but the system has full access upon boot.

An example- with FoleVault on you can’t reboot via a remote access session (without special ‘one time’ terminal tricks) and regain access.
With FileVault off you can.

In the secure enclave.

That used to be the case. But, ever since the T2 chip was introduced, turning on file vault just adds wraps additional security around the key. (Think house key inside a lockbox.) Try it yourself. On a brand new OS installation on a T2 or M1 Mac, by default Filevault is turned off. Turn it on. macOS will report fully encrypt immediately. (On pre T2 macs, the computer had to manually encrypt the drive, which did take a long time.)

You lose your data. Yes this is remote possibility. But it more likely you are have an SSD die than the Secure Enclave. (Remember Apple has been using a Secure Enclave in tens of millions of iPhones and iPads over the past several years. I have never heard of issues with the secure enclave. Doesn't mean there aren't cases, just a very low number.

No, remember data read from the drive is decrypted before it gets to the O/S. The O/S is then sending the data to your backup. That is why you should consider encrypting your backups. The keys NEVER leave the computer.

Ok so if Filevault makes it even more secure -while working in the background- why is it not ON by default like on iOS devices?

 

[Arctic Moose]

Ok so if Filevault makes it even more secure -while working in the background- why is it not ON by default

Because the Apple Store Geniuses do not want to have tell people their data is gone forever over and over and over again when they’ve forgotten their password.

 

[cupcakes2000]

Ok so if Filevault makes it even more secure -while working in the background- why is it not ON by default like on iOS devices?

There is no FileVault on iOS. It wouldn’t be necessary on ios as ios is inherently more secure anyway. And the encryption is on by default like ios, it’s just traditional operating systems like macos don’t work in the same way.

iOS has the Secure Enclave and hardware encryption built in. It’s automatic when you set a passcode. Without the pass code you can’t get to anything.

macos used to use FileVault for encryption, software encryption. Since the intro of the T and the M chips, they now have a Secure Enclave and work the same as iOS.

FileVault on a mac now encrypts the system on a system level, meaning background processes can’t work unless the disk is unlocked. Without FileVault it’s still encrypted it just not encrypted to the system.
Ios doesn’t allow the same type of background processes or kernel extensions or anything else that could compromise your data at a system level.

 

[cgs1xx]

fab!

 

[TriBruin]

There is no FileVault on iOS. It wouldn’t be necessary on ios as ios is inherently more secure anyway. And the encryption is on by default like ios, it’s just traditional operating systems like macos don’t work in the same way.

iOS has the Secure Enclave and hardware encryption built in. It’s automatic when you set a passcode. Without the pass code you can’t get to anything.

macos used to use FileVault for encryption, software encryption. Since the intro of the T and the M chips, they now have a Secure Enclave and work the same as iOS.

FileVault on a mac now encrypts the system on a system level, meaning background processes can’t work unless the disk is unlocked. Without FileVault it’s still encrypted it just not encrypted to the system.
Ios doesn’t allow the same type of background processes or kernel extensions or anything else that could compromise your data at a system level.

Here is a good document that explains exactly what you said:

Volume encryption with FileVault in macOS - Apple Support

 

[Tech198]

I like it... Now when I can run Monterey on my MBA 2017.

Lesser than desirable, because while iOS has encryption by default, Mac relies on users to turn on FV,, but still useful. Unless you have a T2.

 

[MacBH928]

Because the Apple Store Geniuses do not want to have tell people their data is gone forever over and over and over again when they’ve forgotten their password.

Ok, understandable but isn't it the same with iOS? forget your pin and your data is gone forever?

There is no FileVault on iOS. It wouldn’t be necessary on ios as ios is inherently more secure anyway. And the encryption is on by default like ios, it’s just traditional operating systems like macos don’t work in the same way.

iOS has the Secure Enclave and hardware encryption built in. It’s automatic when you set a passcode. Without the pass code you can’t get to anything.

macos used to use FileVault for encryption, software encryption. Since the intro of the T and the M chips, they now have a Secure Enclave and work the same as iOS.

FileVault on a mac now encrypts the system on a system level, meaning background processes can’t work unless the disk is unlocked. Without FileVault it’s still encrypted it just not encrypted to the system.
Ios doesn’t allow the same type of background processes or kernel extensions or anything else that could compromise your data at a system level.

What I am trying to say is encryption(secure enclave/t2 however it is) is on by default on iOS and everyone seem happy, so why not do the same with MacOS?

 

[One2Grift]

Sounds like something hackers will figure out to get around someday... I'd rather if they actually wrote garbage to the drive rather than just encrypting the data and swallowing the key...

data that has been encrypted with a modern day standard is not “hackable”. The hack is to get to the key. So if the encryption key is deleted? Your data for every and all intents and purposes no longer exists in this universe.

“Breaking a symmetric 256-bit key by brute force requires 2128 times more computational power than a 128-bit key. Fifty supercomputers that could check a billion billion (1018) AES keys per second (if such a device could ever be made) would, in theory, require about 3×1051 years to exhaust the 256-bit key space.”

 

[cupcakes2000]

Ok, understandable but isn't it the same with iOS? forget your pin and your data is gone forever?



What I am trying to say is encryption(secure enclave/t2 however it is) is on by default on iOS and everyone seem happy, so why not do the same with MacOS?

But it IS on by default, the same as iOS. It’s encrypted automatically. That’s what I already wrote several times.

FileVault is an extra layer, nowadays. The disk is already encrypted by default, the same way iOS is. There are just huge differences in the way to two OS’ operate meaning you may want the extra FileVault layer turned on. It potentially limits your system level operations when the computer is locked a little bit, as I mentioned, which is likely why it’s not on by default.

But the disk is encrypted by default

 

[Tech198]

Sounds like something hackers will figure out to get around someday... I'd rather if they actually wrote garbage to the drive rather than just encrypting the data and swallowing the key...

That sound's painful.

 

[MacBH928]

But it IS on by default, the same as iOS. It’s encrypted automatically. That’s what I already wrote several times.

FileVault is an extra layer, nowadays. The disk is already encrypted by default, the same way iOS is. There are just huge differences in the way to two OS’ operate meaning you may want the extra FileVault layer turned on. It potentially limits your system level operations when the computer is locked a little bit, as I mentioned, which is likely why it’s not on by default.

But the disk is encrypted by default

Ok , I got it, I thought FileVault is the encryption that is similar to iOS you just have to enable it and is OFF by default. I see its extra layer now to the encryption

 

[ArtOfWarfare]

data that has been encrypted with a modern day standard is not “hackable”. The hack is to get to the key. So if the encryption key is deleted? Your data for every and all intents and purposes no longer exists in this universe.

“Breaking a symmetric 256-bit key by brute force requires 2128 times more computational power than a 128-bit key. Fifty supercomputers that could check a billion billion (1018) AES keys per second (if such a device could ever be made) would, in theory, require about 3×1051 years to exhaust the 256-bit key space.”

Is it secure against a quantum computer? It would be if it were just written over with garbage. And sure, this sounds silly today, but maybe a few years from now (IE, when you're going to sell the computer), it isn't.

 

[cupcakes2000]

Is it secure against a quantum computer? It would be if it were just written over with garbage. And sure, this sounds silly today, but maybe a few years from now (IE, when you're going to sell the computer), it isn't.

Any hacking of modern crypto (AES 256, for example) by anything thus far, quantum or not, is theoretical ie,impossible in any meaningful amount of time with today’s tech. When such a machine exists with the capability then the crypto will be suitably reinforced to be able to defeat it, by using the same technology that the machine that originally defeated it used - quantum computing in your example.
This will happen way way way before it gets in to the hands of ‘common’ hackers.

If you’re worried about data being seized by agencies with the capability before this ‘change’ occurs for the rest of us, then you’re not the sort of person to be just selling a machine with the drive it was written at all. You would destroy the drive physically which is the only way to be sure of anything the future may hold.

 

[One2Grift]

Is it secure against a quantum computer? It would be if it were just written over with garbage. And sure, this sounds silly today, but maybe a few years from now (IE, when you're going to sell the computer), it isn't.

If we are going to play future pretend then why wouldn’t a “quantum” computer be able to run trillions to the power of trillions in a few blinks of an eye to figure out what data was written over previous data and dig into the past data?
Or simply in a “couple of years” an ultra quantum(from sky net?) will make all firewalls, passwords and encryptions ineffective and just take your data real time at anytime?
In this world today modern encryption is untenably irretrievable without the key. And if in 2 years a staggeringly new and expensive “quantum”(quantum computer equals years of interesting claims, nothing viable or practical) is set on the task of uncovering your personal data? You’re in bigger trouble than someone has embarrassing pics and your Visa card number.

Sarcasm aside, it’s important that no one should read your post and walk away thinking encrypted data can be decrypted,keyless, or is a year or two away. That’s scare tactic quantum nonsense.