"For additional privacy and security, 15 data categories — including Health and passwords in iCloud Keychain — are end-to-end encrypted. Apple doesn't have the encryption keys for these categories, and we can't help you recover this data if you lose access to your account. The table below includes a list of data categories that are always protected by end-to-end encryption."
The FileVault keys are stored in the iCloud Keychain and Apple does not have access to them, full stop :-)
You are conflating iCloud Keychain with the rest of the iCloud data. iCloud keychain is always end-to-end encrypted. Apple cannot decrypt it even if they receive a subpoena. The other iCloud data like your photos are not end-to-end encrypted by default unless you turn on Advanced Data Protection (ADP).
In the news article you shared above, it's very likely this person did not have ADP turned on. So everything in their iCloud that is not E2EE by default could be decrypted by Apple.
The apple support link above has a table showing what apple has access to depending on if the user has Advanced Data Protection on or not.
The link you posted shows that the FBI got access to icloud and found screenshots saved there -- not the device; if the guy would have had ADP on all the FBI would get is mail, contacts, calendar data saved to icloud as Apple wouldn't have the key for the rest of it.
"Apple does the same thing with FileVault when you set up with your iCloud account where, again, previously your disk was just left unencrypted"
Nah, the FileVault key is stored in your iCloud Keychain when you choose to backup the key to iCloud. And the keychain is end-to-end encrypted. Only the user has access.
This user has been spreading this falsehood so heavily in this thread that it's almost suspicious.
When you store your FileVault key in iCloud, it is in escrow (ie accessible by Apple) on older but relevant versions of ios and macos. On newer versions, the situation is improved. However, the terminology on newer versions has changed from "icloud keychain", so frankly, I still think you were talking out of your ass.
In fairness, the link is specifically for "Advanced Dat Protection for iCloud". This has nothing to do with local whole-disk encryption like FileVault or BitLocker.
In Apple's case, even when the user enables iCloud FileVault key backup, that key is still end-to-end encrypted and Apple cannot access it. As a matter of fact, while Apple regularly receives legal warrants for access, they are ineffective because Apple has no way to fulfill that request/requirement.
Microsoft has chosen to store the BitLocker key backups in a manner that maintains their (Microsoft's) access. But, this is a choice Microsoft has made its not an intrinsic requirement of a key escrow system. And in the end, it enables law enforcement to compel them to turn over these keys when a judge issues a warrant.
> This has nothing to do with local whole-disk encryption like FileVault or BitLocker.
Wrong. When you set up a Mac laptop, it gives you the option to escrow keys. ADP disables that and ADP also prevents key escrow for iDevice backups.
This is changed in Tahoe, but that's a really important callout that you need to make (and that you aren't making)
> In Apple's case, even when the user enables iCloud FileVault key backup, that key is still end-to-end encrypted and Apple cannot access it.
This is not true for older but relevant versions of macos. It was changed in Tahoe.
With ADP enabled (which the vast majority of users do not have), this is completely incorrect. This is still factually wrong, and dangerously misleading.
If the user's MacOS FileVault disk encryption key is "stored in iCloud" it resides in the users iCloud Keychain which is end-to-end encrypted. This creates a situation similar to the iPhone, where Apple does not have the ability to access the user's data and therefore cannot comply with a warrant for access (which really annoys organizations like the FBI and Interpol)
I'm sorry, but you're wrong, and wrong in a way that is dangerous. You're conflating two separate things.
> If the user's MacOS FileVault disk encryption key is "stored in iCloud" it resides in the users iCloud Keychain which is end-to-end encrypted.
First: Keychains synced to iCloud are encrypted end to end, as is iCloud Keychain.
However: when you set up FileVault, you are prompted to put escrow your keys in the cloud. If you do that, those keys are NOT end-to-end encrypted.
Further: this is an explicit user feature. It is how "cloud unlock" of a machine with FileVault works. Apple also offers Advanced Data Protection, which is more akin to what you're describing, but requires opting in.
> This creates a situation similar to the iPhone, where Apple does not have the ability to access the user's data and therefore cannot comply with a warrant for access
Another potentially dangerous statement: while this is true for a locked phone, if you use iCloud backups for your device with "standard" level of protection, Apple stores the backups and maintains key escrow.
And by the way, the situation is improved in tahoe and closer to what you've described, but it's still not a guarantee if you upgraded from an older version.
"For additional privacy and security, 15 data categories — including Health and passwords in iCloud Keychain — are end-to-end encrypted. Apple doesn't have the encryption keys for these categories, and we can't help you recover this data if you lose access to your account. The table below includes a list of data categories that are always protected by end-to-end encryption."
The FileVault keys are stored in the iCloud Keychain and Apple does not have access to them, full stop :-)