How to check for and remove FileVault2 iCloud recovery key
https://apple.stackexchange.com/questions/415959
-
01-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
[macOS Mojave 10.14.6]
I created a bootable external SDD. I apparently didn't follow the traditional path of installing macOS and then enabling FileVault later in settings. Instead, I formatted the new drive using Disk Utility (using AFPS/GUID) and enabled encryption there, setting a password at the time of its creation.
I then installed macOS on the already-encrypted drive (it asked me to enter the password, unlocked the drive, and then proceeded with installation). Somewhere along the way, it asked me if I wanted my iCloud account to be able to recover the disk in case I forgot my password. I foolishly chose iCloud before understanding the implications and risks (i.e. I later learned about elcomsoft).
Now, when I go into settings, it shows that FileVault is enabled, however it does not say anything about a personal recovery key, iCloud, anything else. It just says that it's enabled, and offers me the option to "Turn Off FileVault". I did some digging and discovered some commands:
caffeinatedbits ~$ sudo fdesetup isactive
true
caffeinatedbits ~$ sudo fdesetup status -extended
FileVault is On.
FileVault master keychain appears to be installed.
Volume is APFS. (FileVault Enabled)
caffeinatedbits ~$ sudo fdesetup usingrecoverykey
This command is not supported on APFS volumes.
caffeinatedbits ~$ sudo fdesetup haspersonalrecoverykey
false
caffeinatedbits ~$ sudo fdesetup hasinstitutionalrecoverykey
false
I can't seem to find anything conspicuous in my iCloud keychain. Just the basic records.
Question #1 How can I verify that my iCloud account has a recovery key?
Question #2 How do I remove that key so that my iCloud account can NOT be used to unlock my drive?
Solução
You can run this command from the terminal to verify that your iCloud account has a recovery key:
sudo fdesetup list -verbose -extended
The list should include your OS users as well as a "iCloud Recovery Record".
The easiest way to remove the recovery key from the GUI is simply to disable FileVault 2 and then enable it again afterwards (this time do not store the recovery key in iCloud ofcourse). The process does take considerable time, but you can use the computer while it processes.
