[cryptography] Question About Best Practices for Personal File Encryption

Jeffrey Walton noloader at gmail.com
Sun Aug 17 02:08:53 EDT 2014


On Sun, Aug 17, 2014 at 12:09 AM, Jeffrey Goldberg <jeffrey at goldmark.org> wrote:
> On 2014-08-16, at 4:51 PM, David I. Emery <die at dieconsulting.com> wrote:
>
>> On Sat, Aug 16, 2014 at 04:21:53PM -0500, Christopher Nielsen wrote:
>>> The comment about Apple is simply false. Apple does not have a key to
>>> FileVault2 unless you escrow your key with them. I know this because a dear
>>> friend recently passed, and his family was not able to gain access to his
>>> encrypted drives through Apple.
>>
>>       You may be right or may not, but I certainly have to think that
>> if there is a backdoor password to Filevault2 it is quite likely that
>> Apple would not choose to disclose that fact to just some random user
>> who had lost files due to forgotten passwords.
>
> Right. We don’t know whether Apple escrows the key in the absence of
> people asking them to, but we do know that they do offer to store a
> “recovery” key when someone sets up FileVault2.
Did you know OS X ships the Keychain off to the iCloud in 10.9?
http://www.apple.com/osx/whats-new/#icloud-keychain.

> So an instance of Apple being able to help someone recover their FileVault2
> data proves absolutely nothing.
Did you know Apple did not revoke the defective FileVault2 binary? Who
needs an angry maid when you can downgrade to a defective binary that
spews the user password into a log?
http://www.zdnet.com/blog/security/apple-security-blunder-exposes-lion-login-passwords-in-clear-text/11963

Jeff


More information about the cryptography mailing list