Comment by SubmindAlpha66
15 days ago
Nah, Apple doesn't do this.
If the user's MacOS FileVault disk encryption key is "stored in iCloud" it resides in the users iCloud Keychain which is end-to-end encrypted. This creates a situation similar to the iPhone, where Apple does not have the ability to access the user's data and therefore cannot comply with a warrant for access (which really annoys organizations like the FBI and Interpol)
I'm sorry, but you're wrong, and wrong in a way that is dangerous. You're conflating two separate things.
> If the user's MacOS FileVault disk encryption key is "stored in iCloud" it resides in the users iCloud Keychain which is end-to-end encrypted.
First: Keychains synced to iCloud are encrypted end to end, as is iCloud Keychain.
However: when you set up FileVault, you are prompted to put escrow your keys in the cloud. If you do that, those keys are NOT end-to-end encrypted.
Further: this is an explicit user feature. It is how "cloud unlock" of a machine with FileVault works. Apple also offers Advanced Data Protection, which is more akin to what you're describing, but requires opting in.
> This creates a situation similar to the iPhone, where Apple does not have the ability to access the user's data and therefore cannot comply with a warrant for access
Another potentially dangerous statement: while this is true for a locked phone, if you use iCloud backups for your device with "standard" level of protection, Apple stores the backups and maintains key escrow.
You've made some statements that in an absolute form that go from beyond wrong and to being actively dangerous to users. Please re-align yourself to reality here https://support.apple.com/en-us/102651#standard and the services security section at https://help.apple.com/pdf/security/en_US/apple-platform-sec...
And by the way, the situation is improved in tahoe and closer to what you've described, but it's still not a guarantee if you upgraded from an older version.