anikishore
commented
6 years ago Area: Terminal Summary: Generating new recovery key with Old value is not working in 10.13.1, it is accepting only credentials. I tried with by giving recovery in plist file, throws an error at terminal, Error: Unable to unlock APFS FileVault with supplied authentication.
Though, it was already unlocked and could see the users have secure-token as well.
I could able to automate generate new personal key by passing old recovery in plist file on lesser than 10.13 builds successfully.
Description
Area: Terminal
Summary: fdesetup will delete the Filevault 2 Recovery Key on a "changerecovery -personal" operation if given A) an incorrect password or B) the valid password of a user who is not the current console user The is a security bug that results in data loss.
Steps to Reproduce: Install 10.13, update to beta 5 (occurs in betas 1-4 also) Enable Filevault via Security Preference pane, note the recovery key Allow encryption to finish Add another user via Users and Groups preference pane Open Terminal Run: fdesetup list Note there should be 3 entries: the two users and (null) the recovery key entry Run "fdesetup changerecovery -personal" Supply either: A) an incorrect password B) the 2nd user created who is not the current console user Run: fdesetup list Note (null) is not there Run: fdesetup validaterecovery Enter recovery key given at encryption, it returns false, the recovery key has been deleted
Expected Results: When running "fdesetup changerecovery -personal" A) An incorrect password should simply error out with "Error: Unable to unlock FileVault." and exit with exit status 11 B) Given ANY valid filevault2 password generate a new key
Actual Results: In both cases A) incorrect password given and B) password of non-console user given
"Error: Unable to change key", with exit status 136 !!! Recovery key is deleted !!! ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Version/Build: 10.13.1/17B46a (beta5)
Configuration: Tested on APFS not converted from JHFS+ 10.13 installed via createinstallmedia to non-encrypted APFS container Drive was not converted. APFS drive created using 10.13 Disk Utility
Notes/Regression: The behavior did not occur in 10.7, 10.8, 10.9, 10.10, 10.11 or 10.12. Regression is new to 10.13. It is also counter to the advice given in the man page of fdesetup(8): "It is not recommended that you remove all recovery keys since, if you lose your FileVault password, you may not be able to access your information." This is precisely what this behavior is doing. Also the typo "volune" appears in the man page as well.
- Product Version: 10.13.1/17B46a Created: 2017-10-30T21:42:02.630980 Originated: 2017-10-30T00:00:00 Open Radar Link: http://www.openradar.me/35258997