OS X el capitan encryption keys storage

Discussion in 'OS X El Capitan (10.11)' started by f(x), Feb 17, 2016.

  1. f(x) macrumors newbie

    Feb 17, 2016

    I want to know if os x el capitan stores the decryption keys for a fully encrypted drive in their apple corporation computers? When encrypting the full disk os x el capitan says it stores the encryption/decryption keys in iCloud in case you forget your password. So does this mean that apple or the government can decrypt your hard drive without your permission? please elaborate. thanks for your time.
  2. Alrescha macrumors 68020

    Jan 1, 2008
    If you choose to allow your iCloud account to unlock your disk, then clearly Apple must store the keys on Apple servers. If this is a concern, then do not use that option. Presumably your keys would be protected by your iCloud userid and password, but why needlessly create risk?

  3. NoBoMac, Feb 17, 2016
    Last edited: Feb 18, 2016

    NoBoMac macrumors 68000

    Jul 1, 2014
    The option you get when turning on FileVault is not to store the encryption key. What it is offering to store is the recovery key. Should you forget your password(s) for the account(s) on the machine or become corrupt, you can enter your recovery key (if I recall correctly, that option happens after 5 failed attempts using standard login(s)).

    Apple says that the recovery key is encrypted by a key made up of your security question answers. Apple claims that they do not store the answers to your questions, just the questions themselves, and that if you forget the answers to the questions, they cannot recover the recovery key.

    So, to decrypt your drive, someone first needs physical access to it, and then needs either your user password or the recovery key. Bigger issue with all this is choosing a weak password for your user account, since that is what encrypts the encryption key that encrypts the actual disk encryption key. Recovery key does same function: encrypts the encryption key that encrypts the actual disk encryption key. All these keys are stored on your machine.

    As Alrescha said, don't setup your account to use the same password as your Apple ID. Don't use an easy to crack password (read: dictionary attack). And if still concerned, don't save the recovery key with Apple.

Share This Page