This firewall issue isn't the only privacy feature strip from Big Sur release. Unfortunately no big media care about other huge problem Apple introduced.
My only hope they will also fix full disk encryption in this update. Since Big Sur broken installation of macOS on passphrase-encrypted disk partitions.
I bought into M1 hype and now it's end up that you no longer able to have separate password for the disk encryption.
How do you know it's "by design"? By default macOS was always using this encryption scheme, but there was always possibility to have an optional FDE. Now this is broken and I can't even manage to get macOS installed when any encrypted partition is present since it's also cause installer to fail.
I obviously find it being absolutely terrible "design" decision since there no way on earth anyone can count disk encryption key that is unlockable by user password or faceid secure.
PS: If someone have any idea how having separate boot password can be hacked aroud I'll really appreciate the advice.
A way to bypass it _should_ be possible, but will entail having the System volume of the volume group to have different properties than the Data part.
Otherwise the OS will fail to load. (on Apple Silicon Macs, macOS is fully booted already when you input the password, so if you encrypt macOS...)
On older Macs, a Preboot UEFI application application prompts you for the password prior to booting.
What you can do as a workaround:
Create a second account which you'll only use to unlock the drive and then run sudo fdesetup add -usertoadd unlockUser and then sudo fdesetup remove -user PrimaryUser.
That'll give the rights to unlock the drive only to that unlock user.
You can also use sudo fdesetup removerecovery -personal to destroy the ability of the recovery key to unlock the drive.
Does this mean that every user account has their own data volume or that every user account has their home folder encrypted on a per-file basis? Or neither?
What is the privacy implications of two users (both with administrator accounts) sharing an Apple Silicon Mac?
Why is that so important? Your disk encryption key is certainly stored in memory for the duration of your session (which on Macs might as well be forever since they don’t need to shutdown), so anyone with your user password can gain access either way.
It is important because M1 is iOS-derived hardware and unlikely to keep disk encryption keys in memory that you or anyone can freely dump. And hardware attacks against TPM are both costly and hard to perform.
Also in case of travel or emergency it's much easier to just power it off. At the same time there is tons of ways how someone can steal your day-to-day lock screen password.
A full writeup of this is at the link [1]. This has been a well-known thing in computer forensics for many years, which is why *full* disk encryption is so important.
IMO that's a big problem. They are completely different risk categories. My FDE password is absurdly long and complicated, since I never want someone who gains physical access to get all my data, but my Linux user account password isn't as long since it's main purpose is to stop someone from getting passed my lock screen if I was to leave my system unattended.
If one does not power down your system, your FDE is unlocked. So they only need your Linux user account password to get access to the data on your disk.
FDE only protects your data when it's locked. Normally this is when your system is shut down.
The main difference is in the attack surface. Attacking the FDE can happen offline with infinite attempts with a large-scale operation dedicating lots of compute power. Breaking my user password has to happen on site at that exact moment and my lock screen can detect N number of failed logins and shutdown.
At least with 10.15 and earlier you can configure MacOS to hybernate after certain amount of time when it will ask for FDE password on wake up and load everything from the disk.
Most users probably also didn't care about the first-party firewall exemptions. They could have asked people if they wanted a separate password for disk encryption (e.g. a small checkbox).
It is highly non-trivial to extract private key from Apple encryption chips, last time I heared the price is at least 100K USD, and probably much higher now. So unless one values own secrets that high, a short password could be OK.
It's about choice and control over your data - an educated user knows that with hardware encryption, it is very difficult to retrieve data if the hardware fails. There's also the trust factor where you would prefer to have the keys, rather than trust some device.
Is it no longer possible to set a separate password by reformatting the disk in Recovery to one of the "Encrypted" options before (re-)installing to that volume?
That's how I set up multiple passwords for FDE on a recent hackintosh build, but I don't have an M1 and this wasn't Big Sur, so maybe I'm missing something obvious that has changed lately and I'm way off-base.
It had to manually be done in that order though, otherwise it defaulted to the user account password for FDE.
Hm, isn’t the trick is to have a separated account just to boot into with a strong password and remove the primary account from a set of accounts allowed to unlock the disk? I have used that on older macos not to bother with reinstallation of os to enable password-encrypted partition.
My only hope they will also fix full disk encryption in this update. Since Big Sur broken installation of macOS on passphrase-encrypted disk partitions.
I bought into M1 hype and now it's end up that you no longer able to have separate password for the disk encryption.