FileVault curiosity

[MacInWin]

Not a problem, as such, but just a curious event when I tried to enable FV on my 2021, MBP 16" M1 Pro machine. I had been thinking about doing that because Ventura (and maybe Monterey) changed how FV works an is implemented. If you want more on that, read this: Explainer: FileVault In a nutshell, FV is a lot less troublesome than it used to be.

Anyway, I had decided I wanted to go ahead with FV, so today I opened Settings, Privacy & Security and turned on FV. The system asked for an admin password, which I supplied, but then, iinstead of asking me if I wanted a recovery key or to use my AppleID as an unlock, it defaulted to a recovery key, but then simply said that the key had been generated for my "company, school, or institution."

Huh? This is my machine, never associated with any such company, school, or institution. Tried again and got the same result.

Got into a chat with Apple support. Dan, the support tech, asked if I had any profiles (System, Privacy & Security, Profiles). I didn't. Dan then gave me two files to look for, delete, and then boot and try again. I found the files, moved copies to a safe place, deleted them, said goodbye to Dan because the reboot was going to end the chat, and then rebooted. Problem solved. Re-implemented FV, got the prompt to make a choice and chose the AppleID recovery. Smooth as silk.

So, if anybody decides to turn on FV on an Mx Mac and gets the same strange behavior, what you to is go to /Library/Keychains and look for "FileVaultMaster.keychain" and "FileVaultMaster.cer" and get rid of them. Make sure you are in "/Library...." and not your own Library ("~/Library" or "/Users/<<you>>/Library").

What is curious is that having deleted those files and enabling FV, they don't seem to be regenerated. So part of my exploration of this event is going to be trying to find out where they initiated in the first place. If it turns out to be interesting, I'll post more.

In the meantime, if you use FV in Ventura and see the same behavior, I hope this helps.

Now, I'm off to find out what those two files are.

 

[IWT]

Very useful info, Jake.

I, for one, will not engage with FV, but for those who contemplate doing so, your post will be much appreciated.

Ian

 

[MacInWin]

I did some digging and the two files that were removed are associated with Apple's MDM (Mobile Device Management) system. I've not ever used that, so I did some more digging. I noted that Apple's MDM has some payloads, including some for FileVault ( read this: MDM payload list for Mac computers ) So, I used Find Any File to see if any of those appeared anywhere on my boot drive and I found all three associated with FileVault were part of iMazing. If you have iMazing installed, you can see if you have these on your system as well.

FileVault

com.apple.MCX

com.apple.MCX.FileVault2

com.apple.security.FDERecoveryKeyEscrow

Next I opened iMazing and there on the menu was this:


I clicked on "Configurator" and got this as part of the iMazing options:


So, I think that iMazing may have put those two files into the Library. Maybe in anticipation of me using the function on that menu? Significantly, running iMazing did NOT put those files back in /Library/Keychains, so I may be wrong on that.

Next, I used a hex editor to open the two mystery files and found one reference to where the recovery key may have been sent: new-host-4.home.

Researching that location leads down a very deep rabbit hole of networking, but more than one reference was to this type of address appearing when there are multiple routers in the network, and where there may be conflict as each router tries to be the boss and surveys the connected devices. I do have two routers, one in Bridge mode and the other as the controller (DHCP controller). It may be possible that in setting that up that both were in control mode at the same time, which would then temporarily create a "new-host" name for my MBP. iMazing appears to have grabbed that name and used it as the destination for the FV Recovery Key. Fast Forward a year and now I try to turn on FV and the system sees the two files put in the /Library/Keychains by iMazing and sends the key to that location, which doesn't exist anymore. At least that appears to be possible, from my research.

Bottom line, deleting those two files allowed FV with AppleID as recovery, which is what I wanted. If you have iMazing, it might be interesting to see if those two files are in your /Library/Keychains folder as well.

Other than that, I would have zero clue how they got on my system.

FV seems to be working fine. If you do some reading, you will find that FV2 is significantly different from the original, and well worth considering, particulary on Mx Macs.

 

[Rod]

While I remain a little reluctant about initiating File Vault on my MBP I did read the article from The Eclectic Light Company and I was particularly interested in this:

Time Machine backup disks

When you first set up Time Machine backups to APFS storage, macOS now encourages you to use APFS (Case-sensitive, encrypted) format. This is most important for backup storage that you might take with a notebook, but it makes good sense to encrypt those backups whatever.

Thanks Jake for bring the topic to my attention again.