It is *remarkably* difficult to find something authoritative on this, but: how is an iCloud escrowed Filevault key protected? It can't be the iCloud password because that can be reset (although I guess that could just invalidate the key and then trigger re-escrow), it can't be your local password because if you know that you don't need the escrowed key in the first place - so what's going on?
(Ignore the corp escrow case, I only care about individual users escrowing with Apple here)
@mjg59Matthew Garrett According to this article [1], if FileVault is set up prior to Tahoe, the iCloud account recovery option stores the key accessible to Apple (not E2EE). If FileVault is newly enabled on Tahoe, then it stores the key in iCloud Keychain. I tested it just now--the previous iCloud account recovery method indeed was not presented as an option, and the key was present in Passwords.app [2].
"Or you could opt to use iCloud escrow, where the key was stored as part of your data on Apple’s servers without strong security"
[1] https://sixcolors.com/post/2025/09/filevault-on-macos-tahoe-no-longer-uses-icloud-to-store-its-recovery-key/
[2] https://support.apple.com/guide/passwords/filevault-recovery-key-mchl307c4fa9/2.0/mac/26
FileVault on macOS Tahoe uses iCloud Keychain to store its Recovery Key
In macOS 26 Tahoe, Apple has updated how it manages encryption keys in FileVault, the feature that protects your Mac’s data volume by encrypting it. Users with existing choices won’t be…
sixcolors.com · Six Colors
Link author: 
Glenn Fleishman@glennf@zeppelin.flights
If you have a fediverse account, you can quote this note from your own instance. Search https://infosec.exchange/users/SolTwoOne/statuses/115947345765751675 on your instance and quote it. (Note that quoting is not supported in Mastodon.)
