It's a specious reason, and disengenous dissembly. There's nothing about encryption that precludes low-level duplication.
This just something "you don't need" because they would rather shave another millimeter of the width, for the larger and more lucrative fashion-focused part of their customerbase.
To clarify my comment, the trigger of the issue here is a motherboard failure, and data loss is cascading from there.
Sure Apple makes decision that can affect the outcome in this specific case, but other things happen to laptops (physical damage, loss, direct disk failure etc.).
I would blame a pro user with valuable info for not backing/replicating it in case the laptop dies. Actually I am not even sure the laptop could go to repair with the data still salvageable in companies with strict security protocols.
Hardware fails, that's just a fact of life and an inevitable consequence of the second law of thermodynamics. All the comment you are replying to is saying is that pros should know this and back up their data - preferably using multiple methods. I'd argue everyone should do this. Personally I use Time Machine and Backblaze, plus all my most important stuff is in Dropbox.
If you have a normal laptop when it fails you can take a screw driver and put the SSD of the broken machine into another functioning computer, and in 10 minutes you are continuing you work where you left it.
That is more convenient than having to move to another PC, install the OS, all the software that you need, copy the data from somewhere, a procedure that takes a couple of hours.
And of course with a normal computer when you send your PC to service you can take out the SSD so the service personal cannot see your private data and so you can continue to work with another computer while you wait for the other to be repaired.
Many modern drives will encrypt the data if you enable a HDD password. HDD passwords can't always be unlocked using another make/model so if you enable a HDD password on your you actually do risk ending up in the same situation.
The summary here is the T2 chip provides custom hardware encryption for the SSD, which makes recovery impossible (and so they removed the data recovery port because what's the point in having it?).
Hardware encryption isn't really something you can turn on or off though, right?
You can look at something like the headphone jack and say, "adding a jack doesn't prevent anyone from using wireless headphones." But if they get rid of the chip, then it does prevent people from using it.
Short of selling two separate models with different configs, is there any way they could allow the customer to choose?
Luckily Apple has loads of experience with hardware encryption of iPhones and it seems like they land pretty damn well with users. Almost no one knew previous models had this recovery feature and almost no one will actually care that the new ones don't. Make a backup of data you want to keep in case of hardware failure, don't rely on any magic from a vendor.
Good luck telling that to the parent that just lost all the pics of their child... If you can lose months of work due to a client and haven't backed it up you do not deserve to have any clients.
Losing work product is a far more common occurence, and while it can be turned into a moral argument that people really should just backup their stuff - The truth is they don't and the stress of a looming deadline is exactly the scenario where accidents are most likely.
Is it though? I think it would be really rare for your logic board to die right as you are finishing up a project that you haven't saved anywhere else. But with enough time to schedule an appointment at the Apple Store, enough money to buy a new computer and the knowledge that they can open up the laptop, remove the logic board, hook up a cable that almost no one until this week knew existed and then transfer your data. I bet it almost never happened.
Oh that. I lost my 2TB of backups because shitty USB interface that was also encrypting the data. Drive was fine, but controller bricked and my data was gone.
I don't see any technical reason why your encryption/decryption route couldn't sustain one branch. You're doing it in hardware, there's not going to be a performance decrease from it, though there would be a slight increase in chip complexity.
Apple have taken the decision here that abandoning the ability to recover data from failed machines is worth the guaranteed security floor of it not being possible to disable strong encryption, and honestly I find it hard to disagree.
They could offer to let the user backup the key from the T2 chip to iCloud (and put the port back).
Obviously if you're worried about nation state attackers you wouldn't want to do that in a million years. But if your primary threat model is that you're an average boring home user suffering data loss because you don't backup and dropped coffee on your Macbook it would be a solution.
I think their buisiness model is instead to back up your files to iCloud, not the hard drive key. Which also protects drive losses like theft and drive failure, and is generally useful for people with multiple machines. They justify charging you a iCloud service fee for this better user experience.
From apple’s perspective, hardrive encryption keys aren’t something the average user is going to care about, but files are. The fact that this drives iCloud storage is probably a happy accident ;)
Apple doesn't offer iCloud backup for Macs, only for iOS devices. Apple's backup solution for Macs is Time Machine, which backs up to a local destination (either another drive attached to the machine or a NAS).
You can copy the data you cannot extract the encryption key it’s not any different than an iPhone if you don’t have backups you are screwed.
This is privacy in fact prettty strong one, like with any security measure usability and availability may suffer however it’s on you to mitigate those risks by leveraging backups which on OSX is fairly easy to do so with time machine, FileVault and cloud backups which are also encrypted.
If Apple can not offer a recovery service it is also likely that most adversaries will not be able to recover the data which is a pretty darn good thing to have.
They are definitely better than other companies, but if they truly cared about privacy, they would let us download apps without signing up for an Apple ID. Or at the very least, not require a full name and physical address for one.
Total BS. Apple only needs country-level address for tax compliance as local jurisdictions (states, cities, etc.) aren't allowed to impose their own taxes on digital sales anywhere.
Even assuming that's true, the laws could change and the moment they do, Apple would need to comply with the tax laws. If Apple doesn't collect anything more than country-level location, and states start imposing taxes on digital sales, then Apple would have no way to comply with the law.
You mean they opted out of PRISM (or whatever is the equivalent today) ? They disable as much as ME on their intel components as they can ? They don't promote the use of a unique ID linked to a remote account to use their hardware ?
The T2 chip for what I understand it's a proprietary CPU that executes proprietary software, how can you consider that secure ? It's not different from the Intel ME in that sense, just another secondary processor that have access to all the hardware on the computer and that runs code that the user cannot control.
Also for a security prospective it's not good, the main principle of cryptography is that the only secret to decrypt something should reside in the user, not in the obscurity of the algorithm or the hardware, so a perfect encryption is an encryption where when you turn on you laptop you have to insert a 30 character strong password that only you know, like LUKS on Linux, no obscure hardware, no proprietary software. The laptop broke, take out the SSD, put it in another Linux computer, insert you secret password, and recover the data.
This system is NOT secure, if someone finds a flaw that permits to extract the key from the T2 chip, and it's only a matter of time and resources before someone does it, your data is no more protected, they can decrypt and extract what they want. We must not consider secure every encryption system that doesn't depend on a secret that only the user knows.
Let me tell you a secret, there is nothing truly secure in the world. Only things which haven’t had a vulnerability found for it.
> It's not different from the Intel ME
The important sense that matters is Intel ME has been found vulnerable (highly vulnerable in fact). The T2 hasn’t. Should we be skeptical of black boxes, most assuredly! But calling it equivalent to something found to be flawed in serious ways is a bit premature at best, or grossly negligent at worse.
> the main principle of cryptography is that the only secret to decrypt something should reside in the user
I don’t know about you, but the “main principle of cryptography” is to prevent unauthorized parties from knowing the contents of the data to me. I guess we are allowed to make up any statement that furthers our cause though when that suits us.
> if someone finds a flaw that permits to extract the key from the T2 chip, and it's only a matter of time and resources before someone does it, your data is no more protected, they can decrypt and extract what they want
Your password is part of the process, the extra stuff done in the T2 is just that, extra. So extracting from the T2 gives you nothing without the user’s password, needed to unlock the secret encryption key for the drive (assuming FileVault is enabled[0], and if you didn’t enable it, then why do you have an expectation of security at all?).
>Let me tell you a secret, there is nothing truly secure in the world.
My VCR is pretty secure. CRT monitor, too. Even my headphones are nicely secure.
>The important sense that matters is Intel ME has been found vulnerable (highly vulnerable in fact). The T2 hasn’t.
There's your fallacy. Just because the T2 hasn't doesn't mean it can't or won't. You even just said it. 'Only things which haven’t had a vulnerability found for it.'. The problem is that proprietary embedded hardware of a dynamic nature leads to irreversible possibilities of exploitation at a hardware level. ME is a very, very good reason to not trust.
>I don’t know about you, but the “main principle of cryptography” is to prevent unauthorized parties from knowing the contents of the data to me.
Cryptography is not about obfuscation layers on top of cryptography. Cryptographic security is a math, not a logic. Anything further
is about hiding intentions making the cost of entry to finding
exploitation higher. The cost of entry makes it hard for white hats to find exploits before the market does.
>Your password is part of the process, the extra stuff done in the T2 is just that, extra.
Or is it? Have you looked at the firmware? you nor I can, so you cannot claim what it's actually doing. But we do know that it's a proprietary chip capable of lots of fun.
Also user passwords are trivial to get, and there's always the possibility that the chip is storing the user password itself. Again, can't know, that's up for the black hats now.
A long time ago, I was told a story by a Navy Radioman--a specialty which no longer exists. As a demonstration of TEMPEST, someone parked a van at the end of a pier and after a few hours presented to the crew of the ship a log of everything that had been done electronically on the ship. Not just the transmitted traffic, either, but things that they had apparently been able to construct from the CRT displays in use at the time. At a distance.
I don't think your VCR, CRT monitor, or headphones are nearly as secure as you think they are. You might not care about their vulnerability to a sufficiently-motivated actor, but someone else might.
”In the paper, Van Eck reports that in February 1985 a successful test of this concept was carried out with the cooperation of the BBC. Using a van filled with electronic equipment and equipped with a VHF antenna array, they were able to eavesdrop from a "large distance". There is no evidence that the BBC's TV detector vans actually used this technology, although the BBC will not reveal whether or not they are a hoax.
Van Eck phreaking and protecting a CRT display from it was demonstrated on an episode of Tech TV's The Screen Savers on December 18, 2003.”
Privacy- not security. In this case they reasserted their commitment to privacy by not giving themselves the key to the encryption, and therefore making themselves unable to give the key to others, either from insider risk, state actors or malicious hackers.
I’m not a security expert and I couldn’t possibly tell you whether the T2 is secure even if I was because it’s an opaque blob like you said.
> The T2 chip for what I understand it's a proprietary CPU that executes proprietary software, how can you consider that secure ? It's not different from the Intel ME in that sense, just another secondary processor that have access to all the hardware on the computer and that runs code that the user cannot control.
If it ran open-source software that wouldn't make it secure. Proprietary software means it can't be independently audited for security, but whether it can be audited != whether it's actually secure.
> Also for a security prospective it's not good, the main principle of cryptography is that the only secret to decrypt something should reside in the user, not in the obscurity of the algorithm or the hardware
Your "main principle" is incorrect, but you are correct that obscurity of algorithm is no defense. However the T2 does not rely on obscurity of algorithm. It relies on having a private key that nobody besides the T2 has access to (not the user, not Apple, nobody) and it combines that key with the one derived from your password. This means decrypting any of that data requires two things:
1. The user password, and
2. Cooperation from the T2 chip
This is strictly more secure than just relying on the password alone.
> This system is NOT secure, if someone finds a flaw that permits to extract the key from the T2 chip, and it's only a matter of time and resources before someone does it, your data is no more protected, they can decrypt and extract what they want.
This is incorrect. You still need the user password. If someone manages to extract the key from the T2 then they've reduced the problem back to what you'd have without the T2; namely, you need the user password to decrypt anything.
I don't understand what you're trying to achieve or what you think the parent was trying to achieve either.
Parent is saying they don't use hardware encryption because it makes recovery impossible. With LUKS I can throw the disk into any PC that has a port for it, boot from a linux USB and get my data.
If I'm using both, then I get the worst of both worlds! It's slower and I'm using more CPU, yet if the worst happens I still can't get my data back as the hardware encryption still scuppers me.
I always consider any lap/desk top device as 'disposable'; when I am 'connected', my auto-saves and final saves are synced to online storage, and if I am out-and-about, I can double-save to an encrypted usb memory stick or a locker on my phone.
Exactly. I use Arq with Amazon Drive for daily incremental backups at noon, which is at times bothersome, because it needs a lot of CPU for encryption and verification. But in case my MBPro is stolen, I will be up and running again ~24h later (depending on network bandwidth) with max a few hours of work lost.
Time machine over network is not a great option for me because of my workplace situations, but I could carry a small disk or even a thumbdrive for extra backups - those have gotten so cheap recently.
Another HN thread where valid complaints get downvoted. That’s why this is a toxic board; we can’t have adult conversations here.
Most people want their data protected or recoverable. Most want a computer with a variety of ports, specifically for our existing peripherals. Most don’t care about a MILLIMETER of thickness, it’s not worth it.
Online syncing is not a solution to everything. Shame we can’t discuss the issues here.
Of course we can discuss it but if you passionately throw around opinions like "most people want" as if they were facts without reference to supporting evidence then people will probably vote you down.
You're also making the strawman argument that removing the recovery port was done to save millimetres of thickness and that's clearly false because the 2018 laptop is the same size as the 2016-2017 MacBook Pro which includes the port.
For the record I'm not convinced by the current Apple lineup so I haven't upgraded but that is a different discussion.
Apple doesn't care about what most people want. They have a specific vision about the future of computing that they want to bring into existence, and this is simply one step in that direction. You may not agree with the changes taking place at the moment, but of course you and I don't exactly know where they're planning on taking this, and where things will be in another decade or two.
Most people want their data protected or recoverable.
Apple makes it almost unbelievably easy to do regular encrypted backups and restore from them. I've used Time Machine backups to restore lost/accidentally deleted data many times, and to "restore" to multiple new Macs over the years, for example. Backups are and always have been the correct answer to "what if this specific disk/machine goes irrecoverably bad".
Meanwhile, the reason they can't recover the data for you here is because they implement the one correct answer to "what happens if I lose all my decryption keys". Which is "you're out of luck, we don't have a backdoor to recover the data in that case".
Accessing the data does not mean decrypting it. I'm just guessing here but they probably had to rely on the client's password after they had access to the data.
And presumably that no longer works, because only the T2 chip on the logic board can decrypt the data. Dumping the raw contents of the SSD is now pointless.
Well, yet another reason to stick with the older macbooks: you can always put your SSD in another Macbook and unlock the FileVault encryption. Timemachine is nice, unless you're dealing with gigabyte-sized files... be it Photoshop, AfterEffects or whatever.
What people critizing this seem to miss is that it's exactly the same situation as for SSDs which include hardware full disk encryption (FDE):
If the processor inside the SSD responsible for encryption/decryption breaks, you can't recover the data as well anymore.
What would be the processor inside the SSD is the T2 chip in the current MBP's. It even exposes the same interface (NVMe) to the rest of the system as the processor of an SSD does.
The only differences are that the T2 chip has some additional responsibilities in addition to handle the storage and its encryption and that the die with the T2 chip and the flash chips is larger (as it's the motherboard) and might not be as sealed against environmental impacts as the one of an SSD (which could be a higher risk of failure).
If I'm understanding the article correctly, they can't recover users' data even if both the T2 chip and the NVMe storage are working - the entire laptop needs to be functional in order for them to get data off. Any failure of any important mainboard component leads to complete data loss.
TPM isn’t adversary resistant, these modules are easily accessible over the IC2 bus and can be compromised there is plenty of research to support that.
With Bitlocker unless you backup the recovery key in the cloud or manually there is no way to recover it unless you are going to attempt to compromise the TPM this is no different than FileVault/TimeMachine backups which do exactly that however with the added assurance that at least at the writing of this comment the T2 chip cannot be easily compromised or accesses outside of normal operating parameters.
Ironically (is that the correct usage?) this actually makes it appealing to me.
Whenever I take a laptop in to be serviced, I always remove the hard drive and replace it with an old one that has a new Linux or Windows install on it.
This is mainly for privacy reasons.
When I got my MBP, I knew you couldn't do that, so I basically used it as a thin client, storing all my data elsewhere. However, I was still uncomfortable when I did need to turn it in for servicing, that I spent extra time and formatted it beforehand.
And yes, I encrypt all the drives, but I've heard of instances where the tech will ask for passwords.
> I've heard of instances where the tech will ask for passwords.
I've experienced this at the Apple Store when taking a Mac in for repairs. They refused to fix it if I didn't give them the password, even though it was under warranty. There's even a dedicated field for typing in your login password on the iPads the Apple Genius gives to you when submitting your Mac for a repair.
When I took my MacBook Air in for repair with a UEFI password, they carried out the whole repair and just asked me to type my password when I arrived to collect it and ran a diagnostic on the machine to verify the computer was working. You shouldn’t need to tell/give an Apple Genius your password.
The really huge problem with that is that Keychain uses your login password to unlock your world of passwords. Even if you change your login before servicing, are you going to delete your whole keychain?
Yes, this case kind of proves that they implemented disk encryption correctly :) If MBP weren't such overpriced garbage recently (fckuing Touchbar, fcuking AMD GPUs, fcuking overheating, throttling CPUs) this could convince me to buy one.
89 comments
[ 2.8 ms ] story [ 62.1 ms ] thread“Pro” users will be more inclined to have a workflow to mitigate hardware failure.
This just something "you don't need" because they would rather shave another millimeter of the width, for the larger and more lucrative fashion-focused part of their customerbase.
Sure Apple makes decision that can affect the outcome in this specific case, but other things happen to laptops (physical damage, loss, direct disk failure etc.).
I would blame a pro user with valuable info for not backing/replicating it in case the laptop dies. Actually I am not even sure the laptop could go to repair with the data still salvageable in companies with strict security protocols.
That is more convenient than having to move to another PC, install the OS, all the software that you need, copy the data from somewhere, a procedure that takes a couple of hours.
And of course with a normal computer when you send your PC to service you can take out the SSD so the service personal cannot see your private data and so you can continue to work with another computer while you wait for the other to be repaired.
So remember, backups are important!
You can look at something like the headphone jack and say, "adding a jack doesn't prevent anyone from using wireless headphones." But if they get rid of the chip, then it does prevent people from using it.
Short of selling two separate models with different configs, is there any way they could allow the customer to choose?
Why? This is something completely up to the manufacturer.
As for forcing HW encryption of hard drives, other companies already tried (WD My Book Duo) and it didn't land well with users.
Until their Macbook dies and they take it to Apple for servicing. At which point they'll care a lot.
I'd hate to be an Apple Genius. They don't half get thrown under the bus by corporate decisions sometimes.
The iPhone outsells the MacBook by more than 10 to 1 and works exactly the same way. I think they'll be OK.
Apple have taken the decision here that abandoning the ability to recover data from failed machines is worth the guaranteed security floor of it not being possible to disable strong encryption, and honestly I find it hard to disagree.
Obviously if you're worried about nation state attackers you wouldn't want to do that in a million years. But if your primary threat model is that you're an average boring home user suffering data loss because you don't backup and dropped coffee on your Macbook it would be a solution.
From apple’s perspective, hardrive encryption keys aren’t something the average user is going to care about, but files are. The fact that this drives iCloud storage is probably a happy accident ;)
This is privacy in fact prettty strong one, like with any security measure usability and availability may suffer however it’s on you to mitigate those risks by leveraging backups which on OSX is fairly easy to do so with time machine, FileVault and cloud backups which are also encrypted.
If Apple can not offer a recovery service it is also likely that most adversaries will not be able to recover the data which is a pretty darn good thing to have.
https://blog.taxjar.com/sales-tax-digital-products/
We normally do this by riding the credit card rails....which requires the full address...
Also for a security prospective it's not good, the main principle of cryptography is that the only secret to decrypt something should reside in the user, not in the obscurity of the algorithm or the hardware, so a perfect encryption is an encryption where when you turn on you laptop you have to insert a 30 character strong password that only you know, like LUKS on Linux, no obscure hardware, no proprietary software. The laptop broke, take out the SSD, put it in another Linux computer, insert you secret password, and recover the data.
This system is NOT secure, if someone finds a flaw that permits to extract the key from the T2 chip, and it's only a matter of time and resources before someone does it, your data is no more protected, they can decrypt and extract what they want. We must not consider secure every encryption system that doesn't depend on a secret that only the user knows.
Let me tell you a secret, there is nothing truly secure in the world. Only things which haven’t had a vulnerability found for it.
> It's not different from the Intel ME
The important sense that matters is Intel ME has been found vulnerable (highly vulnerable in fact). The T2 hasn’t. Should we be skeptical of black boxes, most assuredly! But calling it equivalent to something found to be flawed in serious ways is a bit premature at best, or grossly negligent at worse.
> the main principle of cryptography is that the only secret to decrypt something should reside in the user
I don’t know about you, but the “main principle of cryptography” is to prevent unauthorized parties from knowing the contents of the data to me. I guess we are allowed to make up any statement that furthers our cause though when that suits us.
> if someone finds a flaw that permits to extract the key from the T2 chip, and it's only a matter of time and resources before someone does it, your data is no more protected, they can decrypt and extract what they want
Your password is part of the process, the extra stuff done in the T2 is just that, extra. So extracting from the T2 gives you nothing without the user’s password, needed to unlock the secret encryption key for the drive (assuming FileVault is enabled[0], and if you didn’t enable it, then why do you have an expectation of security at all?).
[0] https://support.apple.com/en-us/HT208344
My VCR is pretty secure. CRT monitor, too. Even my headphones are nicely secure.
>The important sense that matters is Intel ME has been found vulnerable (highly vulnerable in fact). The T2 hasn’t.
There's your fallacy. Just because the T2 hasn't doesn't mean it can't or won't. You even just said it. 'Only things which haven’t had a vulnerability found for it.'. The problem is that proprietary embedded hardware of a dynamic nature leads to irreversible possibilities of exploitation at a hardware level. ME is a very, very good reason to not trust.
>I don’t know about you, but the “main principle of cryptography” is to prevent unauthorized parties from knowing the contents of the data to me.
Cryptography is not about obfuscation layers on top of cryptography. Cryptographic security is a math, not a logic. Anything further is about hiding intentions making the cost of entry to finding exploitation higher. The cost of entry makes it hard for white hats to find exploits before the market does.
>Your password is part of the process, the extra stuff done in the T2 is just that, extra.
Or is it? Have you looked at the firmware? you nor I can, so you cannot claim what it's actually doing. But we do know that it's a proprietary chip capable of lots of fun.
Also user passwords are trivial to get, and there's always the possibility that the chip is storing the user password itself. Again, can't know, that's up for the black hats now.
I don't think your VCR, CRT monitor, or headphones are nearly as secure as you think they are. You might not care about their vulnerability to a sufficiently-motivated actor, but someone else might.
”In the paper, Van Eck reports that in February 1985 a successful test of this concept was carried out with the cooperation of the BBC. Using a van filled with electronic equipment and equipped with a VHF antenna array, they were able to eavesdrop from a "large distance". There is no evidence that the BBC's TV detector vans actually used this technology, although the BBC will not reveal whether or not they are a hoax.
Van Eck phreaking and protecting a CRT display from it was demonstrated on an episode of Tech TV's The Screen Savers on December 18, 2003.”
What happens when a sufficient power surge comes in and it catches fire and burns down your house. Still secure?
> CRT monitor, too.
You sure? There are known viruses than can destroy some old CRTs. Still secure?
> Even my headphones are nicely secure.
Sure, so is my wind up grandfather clock too. How is that relevant?
I’m not a security expert and I couldn’t possibly tell you whether the T2 is secure even if I was because it’s an opaque blob like you said.
If it ran open-source software that wouldn't make it secure. Proprietary software means it can't be independently audited for security, but whether it can be audited != whether it's actually secure.
> Also for a security prospective it's not good, the main principle of cryptography is that the only secret to decrypt something should reside in the user, not in the obscurity of the algorithm or the hardware
Your "main principle" is incorrect, but you are correct that obscurity of algorithm is no defense. However the T2 does not rely on obscurity of algorithm. It relies on having a private key that nobody besides the T2 has access to (not the user, not Apple, nobody) and it combines that key with the one derived from your password. This means decrypting any of that data requires two things:
1. The user password, and
2. Cooperation from the T2 chip
This is strictly more secure than just relying on the password alone.
> This system is NOT secure, if someone finds a flaw that permits to extract the key from the T2 chip, and it's only a matter of time and resources before someone does it, your data is no more protected, they can decrypt and extract what they want.
This is incorrect. You still need the user password. If someone manages to extract the key from the T2 then they've reduced the problem back to what you'd have without the T2; namely, you need the user password to decrypt anything.
I don't understand what you're trying to achieve or what you think the parent was trying to achieve either.
Parent is saying they don't use hardware encryption because it makes recovery impossible. With LUKS I can throw the disk into any PC that has a port for it, boot from a linux USB and get my data.
If I'm using both, then I get the worst of both worlds! It's slower and I'm using more CPU, yet if the worst happens I still can't get my data back as the hardware encryption still scuppers me.
Seeing all of the bungles Apple seems to make, I wonder what Jobs would say.
An MBP is a mighty expensive disposable.
True - to a person paying for one themselves. For a company though a MBP is a negligible cost compared to the employee using it - or the data on it.
Time machine over network is not a great option for me because of my workplace situations, but I could carry a small disk or even a thumbdrive for extra backups - those have gotten so cheap recently.
Another degraded POS from Apple, at astronomical prices.
Most people want their data protected or recoverable. Most want a computer with a variety of ports, specifically for our existing peripherals. Most don’t care about a MILLIMETER of thickness, it’s not worth it.
Online syncing is not a solution to everything. Shame we can’t discuss the issues here.
You're also making the strawman argument that removing the recovery port was done to save millimetres of thickness and that's clearly false because the 2018 laptop is the same size as the 2016-2017 MacBook Pro which includes the port.
For the record I'm not convinced by the current Apple lineup so I haven't upgraded but that is a different discussion.
Apple makes it almost unbelievably easy to do regular encrypted backups and restore from them. I've used Time Machine backups to restore lost/accidentally deleted data many times, and to "restore" to multiple new Macs over the years, for example. Backups are and always have been the correct answer to "what if this specific disk/machine goes irrecoverably bad".
Meanwhile, the reason they can't recover the data for you here is because they implement the one correct answer to "what happens if I lose all my decryption keys". Which is "you're out of luck, we don't have a backdoor to recover the data in that case".
But to be honest I have no idea -- I'm a software developer and I know very little about hardware.
If the processor inside the SSD responsible for encryption/decryption breaks, you can't recover the data as well anymore.
What would be the processor inside the SSD is the T2 chip in the current MBP's. It even exposes the same interface (NVMe) to the rest of the system as the processor of an SSD does.
The only differences are that the T2 chip has some additional responsibilities in addition to handle the storage and its encryption and that the die with the T2 chip and the flash chips is larger (as it's the motherboard) and might not be as sealed against environmental impacts as the one of an SSD (which could be a higher risk of failure).
With Bitlocker unless you backup the recovery key in the cloud or manually there is no way to recover it unless you are going to attempt to compromise the TPM this is no different than FileVault/TimeMachine backups which do exactly that however with the added assurance that at least at the writing of this comment the T2 chip cannot be easily compromised or accesses outside of normal operating parameters.
Whenever I take a laptop in to be serviced, I always remove the hard drive and replace it with an old one that has a new Linux or Windows install on it.
This is mainly for privacy reasons.
When I got my MBP, I knew you couldn't do that, so I basically used it as a thin client, storing all my data elsewhere. However, I was still uncomfortable when I did need to turn it in for servicing, that I spent extra time and formatted it beforehand.
And yes, I encrypt all the drives, but I've heard of instances where the tech will ask for passwords.
I've experienced this at the Apple Store when taking a Mac in for repairs. They refused to fix it if I didn't give them the password, even though it was under warranty. There's even a dedicated field for typing in your login password on the iPads the Apple Genius gives to you when submitting your Mac for a repair.
No good to you if the power connector on the logic board is screwed but the chips are fine.