Almost locked out of FileVault encrypted MacBook Pro

Or, maybe just how I felt like I nearly locked myself out from my MacBook Pro due to full disk encryption.

110 views
d

By. Jacob

Edited: 2023-03-04 11:28

I fell asleep listening to videos on YouTube on my work-mac (M1 – Apple Silicon) last night, and when I woke up I just felt a bit detached – probably because I have too many variables of stress right now – the worst realization after waking up, however, was that my Mac had run out of juice doing the night, which meant I had to plug it in and charge it. An event in history that is otherwise a rare occurrence. And... What happens when your Mac wakes up from this near death experience? Well, if you have FileVault on (and you should have), you will be prompted for a password to unlock your computer!

That is not usually a problem for me, because I use passwords that I have memorized. Occasionally I change these passwords and memorize new ones, and that exposes me to the risk of forgetting the new passwords, or even getting confused and mixing up old passes with new ones. I have very few passwords I have memorized, and I never use the same password two places – everything else is stored in my KeePass password manager.

I setup my for-work-Mac about a year ago, and have only had to enter my FileVault password a few times, since I practically never voluntarily turn off or restart my computing. But, there is a system to my FileVault password, so I really should not have problems remembering it. It was a small variation of my MacBook user password. Yet. I forgot.

This morning was absolutely horrifying. I felt detached, confused and forgetful, and had nearly locked myself out from my own life. On top of this sudden problem I was now facing, I also needed to prepare for moving to a new apartment, possibly walk the dog, and wait for someone to pick up an item they bought. Too many variables affecting my mentality. And – had I not managed to unlock my mac, it would have caused a significant setback and delay in my work and many other things!

I could probably have guessed my FileVault password, but the thing that made the situation more nerve-wracking was the way I configured my Mac: not to show the username on the login screen. The thing is, I was also not sure about my username, or if it was failing because one or the other was incorrect. It also started giving me timeouts, so I was also nervous I might be locked out completely – although, weirdly it stopped with the delays and just started "bouncing" without any errors. What was going on? Was it blocking my unlock attempt because I had typed incorrect credentials too many times? Or was it actually checking my credentials? I just did not know.

Downloaded my Keepass database

My keepass database with all my passwords is usually stored on my main computers, only, for security reasons. And I have disliked and resisted the idea of storing it on my phone, because apps on the phone are often closed source. Apparently Apple's app-store disallow GPL licensed apps.

Note. The KeePass ecosystem is open source, and your password database can be self-stored, which makes the KeePass ecosystem ideal for password management. You do not want to rely on proprietary software, because the companies may decide to end support, or it can contain unknown and unfixable security holes (because it is closed source).

I had not been using my personal laptop much for some time, and had increasingly grown more dependant on my for-work-mac, even for much personal use. This is just a catastrophic error on my part, because you should never be too dependant on any single device.

Besides the fact that my personal laptop was too far away, it had also been reinstalled with a new encryption key, which of course was stored in the database, because I had the moronic idea it would be more secure if I simply did not know the password myself. Plus. It was left at home, and I was still babysitting this dog at my friends place – far away from home.

I had a backup of the database in my personal cloud, but the problem was, I also had the password for my cloud stored in the database. And.. In any case, I would also need access to another computer to login to my cloud. However, I did have access to my cloud on my phone, which was still logged in :-) Yay!

In other words, if I did not somehow unlock my mac, I would have faced an intense setback.. Aka. A near death experience! :-p

In my slight state of panic I did something highly unusual for me. I installed an untrusted and untested Keepass app on my iPhone, downloaded my database backup on my phone from my cloud drive, and had a peek inside my database. To my luck, I had actually stored the FileVault recovery key in my KeePass database when I initially setup my mac (this is due diligence, and so, maybe I was not as close to failure as I felt to be). To my "luck", I was able to use it to unlock my encrypted work computer.

Lesson learned: I will never allow myself to become too dependant on any single device again, and I will always keep backups of my password database offline, as well as in my cloud.

The database files itself is in fact also encrypted, with another, long, password that I have memorized, so it is fairly safe to store in the cloud.

KeePass compatible options for iOS / iPhone

For iOS we have two decent, free, open source options that are both available on GitHub: KeePassium and Strongbox.

When it comes to password managers, open source is simply preferred! as it adds an extra layer of trust in addition to a track-record of zero serious security incidents.

I have long held that it is extremely risky to depend too much on proprietary software, because the companies that own the software has been known to end support, (E.g. Microsoft with Outlook Express and Live Mail), meaning that the software might break when the OS is updated. This is more critical with password managers, and even more so if the passwords are stored online, as you could actually lose all of your passwords if the service is terminated.

In addition, I also find it harder to trust proprietary software; with open source, the code is open for public review, and any discovered security holes can be immediately fixed. With closed source, we are at the mercy of the owners. There is also a strong argument that software we depend upon should not be owned by corporations, or, that users at least should have a right to change most of the software they use.

Both KeePassium and StrongBox come with free- and paid premium capabilities, and they both have their code available on GitHub. Essentially you do not need to pay for the extra premium features, but it is a way to support the development.

Links

  1. keepassium.com
  2. strongboxsafe.com

Tell us what you think: