If you create an additional, secure APFS container on an existing APFS drive using Disk Utility, and set a password hint, there's a bug that will show your actual password instead. But a fix is already on its way.
Apple has just pushed out a macOS High Sierra Supplemental Update to fix an issue with Disk Utility, APFS encrypted containers, and password hints.
From Matheus Mariano:
This week, Apple released the new macOS High Sierra with the new file system called APFS (Apple File System). It wasn't long before I encountered issues with this update. Not a simple issue, but a potential vulnerability.
The issue, as best as I understand it, was as follows:
- If you have an APFS formatted SSD drive and:
- You create a new container on that drive using the Disk Utilities GUI and:
- You make it an encrypted container and:
- You add a password hint for the container
Then the GUI would mix up the fields and store the container password in the plain-text password hint field and display the password as the hint whenever you re-mount the container.
If you didn't use the Disk Utility GUI and created the container through Terminal, or if you used the Disk Utility GUI but didn't set a password hint, you wouldn't be affected by the bug.
As bugs go, it was super dumb. But Mariano had already reported it to Apple, and Apple is already deploying a fix.
The number of people affected — those with physical access to a device with an existing APFS container that also has an additional, encrypted APFS container who wouldn't also have the password to that container — is probably tiny. Still, Apple has provided the following instructions for how to roll back even under those circumstances:
- Install the macOS High Sierra 10.13 Supplemental Update from the App Store updates page.
- Create an encrypted backup of the affected encrypted APFS volume.
- Open Disk Utility and select the affected encrypted APFS volume in the sidebar.
- Click Unmount to unmount the volume.
- Click Erase.
- When asked, type a name for the volume in the Name field.
- Change Format to APFS.
- Then change Format again to APFS (Encrypted).
- Enter a new password in the dialog. Enter it again to verify the password, and if you'd like to, provide a hint for the encrypted APFS volume. Click Choose.
- Click Erase. You can see the progress of the Erase process.
- Click Done when the process is complete.
- Restore the data that you backed up in Step 1 to the new encrypted APFS volume that you just created.
The macOS High Sierra 10.13 Supplemental Update should be live by the time you read this, and you can access and update to it via the Mac App Store.
Also note, if you used the same password for your encrypted APFS container as any other accounts (for example, your Mac user account), change those accounts. Better safe than sorry.