macOS High Sierra 10.13.4 fixes APFS encryption password disclosure bug

The latest update to High Sierra, bringing it to 10.13.4, does fix the bug discovered by Sarah Edwards when making an APFS encrypted volume in Disk Utility – in both its original form (fixed in 10.13.2) and the form which remained into 10.13.3.

Although erasing a disk and creating an APFS container still result in execve() calls from diskmanagement which enter the full command and parameters into the log in plain text, those do not contain sensitive information such as a passphrase. The call to encrypt an APFS volume, whether freshly created or already existing, doesn’t use that execve() call, and there is no trace of the encryption passphrase in the unified log.

That is a very quick turnaround by Apple, in fixing the remaining bug in less than a week, and reinforces my opinion that this was an oversight of which Apple had been unaware.

Hopefully Apple will soon amend the list of security fixes for the 10.13.4 update to credit Sarah Edwards with reporting this bug, and making it explicit that it is now fixed.