Which FileVault 2 recovery option is more secure - storing the recovery key in iCloud, or saving it somewhere yourself?

Which would be more secure?

The answer to this can only be determined by you

What you have to do is find the balance between usability and security and that balance can only be determined by what you are comfortable with.

It's not so much where you store your passwords/recovery keys/etc. but how you store them. There are many levels of encryption that you could employ from a basic AES-256 to using Steganography to embed triple encrypted salted and hashed keys.

The more complex you make it, the more secure; the cost being the more inconvenient it becomes to access your data. Likewise, the corollary is also true, the less complex the security, the less secure but the payback is easier access to your data.

So, what you have to do is a simple risk assesment:

  • The value of the data to you (i.e. what's it worth to you?)
  • The importance of the data (can you live without it?)
  • The cost of the data (how much did/would it cost you to (re)create?)
  • How accessible do you need it (every day, every year, once in a lifetime?)

Granted, this is a very abridged version, but should suffice for this scenario.

Use the answers to the question to see what makes the most sense keeping in mind that the moment you place the data on someone else's servers (meaning the cloud) you inherently introduce risk into the equation.

Ahh...but with that last statement, you might be thinking "I should store it offline." That's a possibility, but then you introduce the issue of losing your data should you misplace the device (i.e. USB flash) that you placed it on.

What do I do?

My critical stuff is on a USB that is disguised as an innocent looking object. It's backed up to another USB that is placed in a safe in an undisclosed location.

My "not so critical stuff" is encrypted, then put on a cloud provider for ease of access.

But, that's what works for me. YMMV


Saving it somewhere yourself is more secure as long as that somewhere else is memorized in your own brain. Otherwise the answer to this isn't static.

iCloud can have vulnerabilities and so can Dropbox. Knowing about some vulnerabilities only informs you about those that have become public. Right now we might possibly know about a vulnerability in iCloud, but tomorrow that could be patched and 12 vulnerabilities in Dropbox could be revealed.

I would consider them to be basically equal if you aren't going to memorize the recovery key.

As an aside, I don't memorize my own keys, I keep them in Dropbox using 1Password