How does FileVault generate the key?

How does FileVault generate a recovery key? From my user password? Does FileVault use the same key to decrypt disk on startup as recovery key? Are they identical?

I probably know the answers to this questions, but I want to be sure.

How does filevault 2 work?


The general principle used by FileVault is the same as for any encryption scheme which allows more than one password to access the data (such as LUKS, which is commonly used in Linux environments). To summarise:

  • A key called the MEK (media encryption key) is used to encrypt and decrypt the data.
  • A key called the KEK (key encryption key) is used to generate a ciphertext version of the MEK, which we'll call X. The value of X is stored alongside the data, e.g. in a filesystem header.
  • A series of passwords (such as your user password and a recovery password), e.g P₁ and P₂, are passed to a standardised key derivation function to generate corresponding encryption keys that are used to generate ciphertext versions of the KEK. Let's say that the ciphertext version of the KEK generated using P₁ is C₁, and likewise, P₂ yields C₂. The values C₁ and C₂ are stored alongside X.

Now, if you know one of the passwords, you can provide it to decrypt the data. For example, if you know P₂, you can decrypt C₂ to find out the KEK. Once you know the KEK, you can decrypt X to find out the MEK. Once you know the MEK, you can decrypt the data.

This scheme allows easy addition, removal, and alteration of passwords used to access the data, since this simply requires altering the set of stored Cᵢ values. No re-encrypting of the data itself is necessary, since the MEK being used doesn't change.


In LUKS, these places to store a Cᵢ value are called "keyslots", and LUKS provides eight such keyslots.

In APFS, all such Cᵢ values are stored together in a data block called a "keybag" — in principle, the size of this keybag is unbounded, but in current practice, it's typically large enough for 7 keys. When you set up authorised users and passwords in FileVault preferences, one of these slots is used to store a Cᵢ which can be decrypted using the recovery password that is displayed to you.


FileVault uses the user's login password as the encryption pass phrase. It uses the AES-XTS mode of AES with 128 bit blocks and a 256 bit key to encrypt the disk, as recommended by NIST.[12][13] Only unlock-enabled users can start or unlock the drive. Once unlocked, other users may also use the computer until it is shut down.[3]

...

Master passwords and recovery keys

When FileVault 2 is enabled while the system is running, the system creates and displays a recovery key for the computer, and optionally offers the user to store the key with Apple. The 120 bit recovery key is encoded with all letters and numbers 1 through 9, and read from /dev/random, and therefore relies on the security of the PRNG used in macOS. During a cryptanalysis in 2012, this mechanism was found safe.[15]

Changing the recovery key is not possible without re-encrypting the File Vault volume.[3]

https://en.wikipedia.org/wiki/FileVault#FileVault_2