Comment by Noaidi

5 hours ago

Apple will do this too. Your laptop encryption key is stored in your keychain (without telliing you!). All is needed is a warrant for your iCloud account and they also have access to your laptop.

sixcolors.com/post/2025/09/filevault-on-macos-tahoe-no-longer-uses-icloud-to-store-its-recovery-key/

6 comments

Noaidi

Reply
betaby  4 hours ago

> Your laptop encryption key is stored in your keychain

Probably not if one is not using Apple cloud on their laptops.

> stored in your keychain (without telliing you!)

How to verify that? Any commands/tools/guides?

_blk  5 hours ago

Thanks, that's good to know. I suspect WhatsApp's "we're fully E2E encrypted" would be similar too.

  • cedws  5 hours ago

    It's most software. Cryptography is user-unfriendly. The mechanisms used to make it user friendly sacrifice security.

    There's a saying that goes "not your keys not your crypto" but this really extends to everything. If you don't control the keys something else does behind the scenes. A six digit PIN you use to unlock your phone or messaging app doesn't have enough entropy to be secure, even to derive a key-encryption-key.

    If you pass a KDF with a hardness of ~5 seconds a four digit PIN to derive a key, then you can brute force the whole 10,000 possible PINs in ~13 hours. After ~6.5 hours you would have a 50% chance of guessing correctly. Six digit PIN would take significantly longer, but most software uses a hardness nowhere near 5 seconds.

    • bigyabai  1 hour ago

      Take it a step further, even - "End-to-End-Encryption" is complete security theater if the user doesn't control either end.

      We joke and say that maybe Microsoft could engineer a safer architecture, but they can also ship an OTA update changing the code ad-hoc. If the FBI demands cooperation from Microsoft, can they really afford to say "no" to the feds? The architecture was busted from the ground-up for the sort of cryptographic expectations most people have.

eddyg  5 hours ago

Wrong.

You can (and should) watch all of https://www.youtube.com/watch?v=BLGFriOKz6U&t=1993s for the details about how iCloud is protected by HSMs and rate limits to understand why you’re wrong, but especially the time-linked section… instead of spreading FUD about something you know nothing about.

  • bigyabai  1 hour ago

    You can say anything you want in a YouTube video or a whitepaper. It doesn't have to correspond to your security architecture.

    Where's the source code? Who audits this system?