Apple fixes the Disk Utility APFS bug: What you need to know!

Apple has just pushed out a macOS High Sierra Supplemental Update to fix an issue with Disk Utility, APFS encrypted containers, and password hints.

From Matheus Mariano:

This week, Apple released the new macOS High Sierra with the new file system called APFS (Apple File System). It wasn't long before I encountered issues with this update. Not a simple issue, but a potential vulnerability.

The issue, as best as I understand it, was as follows:

  1. If you have an APFS formatted SSD drive and:
  2. You create a new container on that drive using the Disk Utilities GUI and:
  3. You make it an encrypted container and:
  4. You add a password hint for the container

Then the GUI would mix up the fields and store the container password in the plain-text password hint field and display the password as the hint whenever you re-mount the container.

If you didn't use the Disk Utility GUI and created the container through Terminal, or if you used the Disk Utility GUI but didn't set a password hint, you wouldn't be affected by the bug.

See more

As bugs go, it was super dumb. But Mariano had already reported it to Apple, and Apple is already deploying a fix.

The number of people affected — those with physical access to a device with an existing APFS container that also has an additional, encrypted APFS container who wouldn't also have the password to that container — is probably tiny. Still, Apple (opens in new tab) has provided the following instructions for how to roll back even under those circumstances:

  1. Install the macOS High Sierra 10.13 Supplemental Update from the App Store updates page.
  2. Create an encrypted backup of the affected encrypted APFS volume.
  3. Open Disk Utility and select the affected encrypted APFS volume in the sidebar.
  4. Click Unmount to unmount the volume.
  5. Click Erase.
  6. When asked, type a name for the volume in the Name field.
  7. Change Format to APFS.
  8. Then change Format again to APFS (Encrypted).
  9. Enter a new password in the dialog. Enter it again to verify the password, and if you'd like to, provide a hint for the encrypted APFS volume. Click Choose.
  10. Click Erase. You can see the progress of the Erase process.
  11. Click Done when the process is complete.
  12. Restore the data that you backed up in Step 1 to the new encrypted APFS volume that you just created.

The macOS High Sierra 10.13 Supplemental Update should be live by the time you read this, and you can access and update to it via the Mac App Store.

Also note, if you used the same password for your encrypted APFS container as any other accounts (for example, your Mac user account), change those accounts. Better safe than sorry.

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

1 Comment
  • If the password is shown in the clear then hopefully it's simply mistakenly copied to the hint at creation time, rather than the plaintext version actually being available at verification time. It should be long gone (hashed) by then. It's baffling to me that Keychain contains so many plaintext passwords.