The unique pairing here provides some very important security properties that prevent the memory chips that comprise the SSD itself from being physically removed from the system and connected to a different system, or from having their contents extracted from the chips and flashed onto SSD chips in another system.
Yet more sadness for data recovery companies and those who've lost files and want their services. Full disk encryption has been around for a long time and, well-implemented, will let you recover the encrypted data to transfer to new media (so the DR company can't see your secrets either, but you haven't lost anything.)
IMHO encryption should be opt-in --- contrary to what those advocating it think, not every piece of data I have needs to be encrypted, and I certainly have plenty more personal files that I would rather have become publicly accessible than lost forever. It's a tradeoff between "if someone hacks in, they can read my data too" and "if something goes wrong, no one can read my data, including myself" and I think this tradeoff needs to be a more explicit choice.
Yes, absolutely, 100% agreed. But in real life accidents happen and it's nice to at least have an option of emergency recovery. I'd trade that possibility for extra security, but I suspect most people would not. I think doing it like iPhones do it, where all storage is non-recoverable BUT everything is backed up by default is the best user experience.
It isn’t backed up unless you opt-in for iCloud backup (which is largely encouraged) or perform a regular manual backup using iTunes.
This is largely similar for MacOS with Time-Machine backup (largely encouraged) or iCloud backup (still recent and for now advertised as secondary backup) or a full disk dump by any software you deem appropriate.
I both case the iCloud back-up seems to be the backup method Apple want to promote moving forward. And while I was very reticent for a while, this ultimately is a good move on their part IMHO (tho I’ll personally never stop full disk physical backup). Yes it’s pricy but keeping external hard-drive to date with tech also have a cost beyond initial buying cost (FW->USB2->USB-C HD->SSD) also it’s off site wich need some discipline if you do it yourself. For most users paying a monthly fee to have you mind worry free will be a blessing.
This is pretty much my setup, and one of these days I'll convert the rest of the family.
The odds of your local backup and cloud provider going down simultaneously are slim to none, and at that point I'd start looking out for the Four Horsemen.
But I suspect most of the file types that land in iCloud Document containers, Photo Library, and the rest cover 90% of what most people consider important.
So the thinking goes, You can always re-download the OS and applications if necessary. Internet Recovery is a godsend on a machine that fails to boot.
(Insert 80-90's Mac user rant about the Startup "chime" going away - because POST - and Target Disk Mode being more obscure than it should be)
The fact that home internet connections are just now getting to the point now where this is viable makes iCloud backup less of a pain in the butt than it used to be. Still, I don't trust it entirely because of the hacking risks and the fact that it doesn't grab everything by default.
Notably it’s a per-user backup which can be a no go for shared computer.
But it’s the logic Apple is pushing for years now. iOS devices never got the possibility to be shared because they are considered "personal". And this is also a no go for some people (I think this logic is ok for phone but more discutable for iPad).
By this logic a backup fall into the personal category for Apple so you need an undividual account. Which again make senses in some way. Because with physical backup, if not encrypted, anybody that put his hand on the disk get access to all the data of all the users.
Usually you trust people you share a computer with more that any company, so maybe it’s pushing the logic too far to force use to get an iCloud account.
But from a practical standpoint you can’t either say it’s useless. Kid grow and get his own computer? Just setup iCloud on the new one and he get back all it’s stuff painlessly. Your shared computer crash and you decide to buy two laptops to replace it? Easy to split accounts.
Everything is already easily doable using the migration assistant, assuming you have a backup, but can be easier in the futur for the proverbial layman.
If there is an option for emergency recovery, there is also an option for compromise / theft of data, of leaking personally identifiable data - if you as a company were to throw away a hard drive containing user data and it's recoverable, under the GDPR you could face a €20 million fine. These are very serious concerns.
Encrypt and back-up your data, and don't lose the key.
Same goes for 2FA, if you lose your 2nd factor thing and didn't store the recovery in a safe place, your data should be lost. If there's an option to recover it anyway, your data was insecure anyway and 2FA was a waste of effort.
Again, I don't disagree. But I don't think it's hard to understand that I'm not talking about company policies here - I'm saying that if my grandma spills water on her computer I'd much rather pay someone some money to recover her family pictures than say "sorry grandma, can't do it, but at least no one could steal your data either!". Obviously everyone "should" have backups, but you know, we can sit here and name things that people "should" be doing all day long - that doesn't lead us anywhere.
In general, lack of encryption enables passive surveillance. I think a better solution than opt-in encryption could be on-by-default, with a multi-party recovery scheme.
Yes, you can attach your Bitlocker recovery keys to your Microsoft account. I trust them well enough, since my threat model doesn't include state actors or MS themselves--if they really wanted my data, they could just ship an update to my machine while everything's decrypted anyway.
I can't imagine Apple offering this option -- it doesn't really align with their strengths (privacy first) and weaknesses (data centers). They'd need to fix so much of iCloud first.
> If you're using OS X Yosemite or later, you can choose to use your iCloud account to unlock your disk and reset your password
> If you're using OS X Mavericks, you can choose to store a FileVault recovery key with Apple by providing the questions and answers to three security questions. Choose answers that you're sure to remember
> If you don't want to use iCloud FileVault recovery, you can create a local recovery key. Keep the letters and numbers of the key somewhere safe—other than on your encrypted startup disk
Take a look at this blackhat talk from Apple's head of security Ivan Krstic, where he explains the mechanism they use to secure credentials stored in the cloud: https://youtu.be/BLGFriOKz6U?t=22m31s
If you've ever messed up with an encrypted disk, you know it feels just like an unrecoverable hard drive crash.
Which is exactly what it's supposed to feel like, and that's fine if you were aiming for it, but when that isn't what you signed up for, it's pretty much the worst thing ever.
It can also feel like a truly nefarious form of vendor lock-in, if you ever try to migrate to another system, and just happen to notice that now, your disk is totally unmountable for some unexplainable reason. This kind of thing can happen when crossing over to an older version of an alternative OS that doesn't know how to negotiate authentication for proprietary encryption formats, or newer formats that weren't supported at the time of the older OS's install.
So, for consumer hardware that might be received as a birthday gift, I'd say encrypted by default is a terrible idea. For those not carefully and explicitly warned, storing their stuff on an encrypted disk gone wrong, can be like unintentionally throwing it in the trash, setting it on fire and then flushing it down the toilet, except the toilet is a black hole of no return.
We're talking about an Apple iMac Pro here... this isn't a computer that is designed to allow you to move components to a different system. Yes, it is a fully locked-in system, purposefully designed to be as secure as possible. I'm not going to give Apple much grief about that, because it's not like they say you can migrate hardware from one system to the next.
It would be more interesting to know how the T2 chip interacts with external storage and/or alternative (Windows/Bootcamp) operating systems. In both of these cases, one would expect more low-level data portability, which is a more interesting use-case than trying to pull out the NVMe SSDs from a glued together iMac.
Given how simple something like TimeMachine is, a long with a host of web options people really have no excuse anymore. I have everything backed up to a TimeMachine and just for good measure everything also goes to Backblaze. I do not even have to think about it.
I agree. Backblaze is $50/yr for unlimited backup. If your expressed behaviour is that your data isn't worth $50 then I have pretty limited sympathy when you lose it...
Obviously, not everything on a drive is important to keep; in fact, I'd guess that maybe under 10% of a typical user's disk drive is data they would be impacted by if they lost it. Decrypting 100% of the data so that 10% of it is easier to recover at the cost of security seems like a bad idea. Information that would not really be considered 'confidential' could still be used to violate users privacy, including caches, cookies, password hashes, and so forth. In an era where mundane parties like border agents are malicious actors, this becomes more important to the average joe.
If we want to reduce pain points for average users, the best case scenario would be to have intuitive means to allow users to ensure their data is safe and secure, and handled with an appropriate level of privacy (i.e. Tax documents should not be public.) If you can't accomplish that, it feels like all you can do is go back and forth between bad trade-offs.
I don't know. I think security should come first. Also Apple makes it stupidly and unrealistically simple to backup your macos. I remember when it was a pain to backup my windows and having to run through all the files. But Apple's Time Machine is really spectacular at that.
Also encryption done well should not rely on some particular hardware being closed or the algorithm secrete, like this system does, but only on the secrete that the user know, the password or other authentication methods.
Like disk encryption with Linux, you select a robust password, or you can store a key in whatever way you want, you enter your password on boot and unlock the disk, if you PC broke, fine remove the disk from the computer and put it in another. The security lies only in the password you choose, not your particular PC having some kind of closed hardware in which somewhere lies the key (of course).
Backups are opt-in. Encryption is opt-out. Users will just go for the easy, cheap, default option, and lose their data. That is not ok.
I had to recover data for a friend whose MacBook Air failed halfway through the macOS update that reformatted her drive to APFS. I wrote up the process on Medium. If the drive weren't encrypted, it would've been possible to recover from more serious problems (e.g. partial flash memory failure) instead of just the OS issue. Thankfully her files were safe, but the fail-deadly default option for users' data is going to cause a lot of problems for Apple's reputation in future.
Brushing your teeth is also opt-in. But also just a part of basic hygiene.
Backups should be no different, especially when doing them with Time Machine is even less trouble than brushing you teeth.
These use-cases for specialized processors are prime examples of how Apple's software-hardware bundling can give their products some really cool advantages over competitors.
I'm not a security specialist though -- so I'm curious how valuable these extra hardware protections are to the security community at-large.
I know of at least one place where the MacBook Pro fingerprint sensor is approved for authentication, but the only other approved devices are dedicated hardware (security tokens).
I wonder what software they're using, because AFAIK the enclave doesn't provide attestation. So Touch ID is really secure but there's no way to prove to the server that you're using Touch ID. But I guess most hardware tokens don't have attestation either.
>MacBook Pro fingerprint sensor is approved for authentication
does the fingerprint sensor API return a signed response from the fingerprint sensor or SE? or is it a simple yes/no?. if it's the latter, the whole thing is security theater.
It depends on where you're authenticating to. If you're authenticating to yourself, then sure a signature is will just be converted to a yes/no and be no better. But if you're authenticating to a server, the server can do the signature verification, whereas a server looking at a yes/no that a client sends would be mostly useless.
In order to understand Apple’s decision to switch from the older Serial ATA (SATA) interface to the higher-performing Non-Volatile Memory Express or NVMe, we recommend reading Ramtin Amin’s excellent deep-dive into its implementation. The main advantages of using NVMe to provide SSD storage access are that by using all the available parallel operations possible with modern flash-based storage over a four-lane PCIe connection, much better I/O speeds can be achieved compared to older HDD-specific interfaces.
Kinda surprised that this needed an Apple-specific explanation. I mean, didn't all board manufacturers move toward NVMe simply because it's faster than ATA?
The Secure Enclave in the T1 and all iPhones since the 5s has a unique key in the AES engine's silicon, that cannot be read even from the Secure Enclave's firmware.
This key is "tangled" with user-supplied keys for per-device access to data.
I assume the T2 offers this same feature.
See UID in the glossary (page 80) or under Hardware security features (page 12) of the iOS 11 Security Guide
I'd like to know if this will help enable support for more authentication methods at boot time for unlocking full disk encryption, such as Yubikey challenge-response or smartcard PKCS #11. Sort of a drag if you're using token-based login but you still need to memorize a password for FDE.
I'd assume the goal would be to allow macOS to support secure data access with a processor that doesn't necessarily have a TPM. (Assuming you could do the exact same things with a TPM) As for what kind of hardware that might be (ahem ARM) would just be speculation...
The dedicated T2 chip gives Apple more flexibility for the future and control over the present. Both of these things Apple values.
what's the problem with letting the OS know the key? it already has access to all the files! the only use i can think of is some sort of multi-user system where you can't trust the kernel, but if you can't trust the kernel, it's already game over.
that's more of an argument for encrypting filesystem instead of full disk encryption (which I agree would help in that situation), not an argument for having a custom security co-processor. you can accomplish the same thing with TPM: by using PCR sealed keys for the OS files, PCR + password sealed keys for private/personal files, and wiping the second set of keys every time you lock the computer.
Yet more sadness for data recovery companies and those who've lost files and want their services. Full disk encryption has been around for a long time and, well-implemented, will let you recover the encrypted data to transfer to new media (so the DR company can't see your secrets either, but you haven't lost anything.)
IMHO encryption should be opt-in --- contrary to what those advocating it think, not every piece of data I have needs to be encrypted, and I certainly have plenty more personal files that I would rather have become publicly accessible than lost forever. It's a tradeoff between "if someone hacks in, they can read my data too" and "if something goes wrong, no one can read my data, including myself" and I think this tradeoff needs to be a more explicit choice.