Disk encryption, FileVault and hardware encryption

Without encrypting the contents of a disk, it’s all too easy for anyone to access its contents. Even if your Mac is protected by a firmware password, all someone has to do is remove the disk and they can see and copy everything on it. There are several options which can prevent that.

FileVault 1

The first version of FileVault, known now as FileVault 1 or Legacy FileVault, was introduced in Mac OS X 10.3, but applied only to Home folders. Instead of being stored normally as files and folders on a disk, they were kept in an encrypted sparsebundle. These caused problems with Time Machine backups, and were readily copied from the Mac, so became comparatively easy to crack. Even on old Macs, you shouldn’t assume that FileVault 1 provides any significant level of protection.

Jonathan Zdziarski’s classic article File Vault’s Dirty Little Secrets is an excellent account of some of those weaknesses.

FileVault 2

This was introduced in Mac OS X 10.7, and replaced FileVault 1 completely, with whole-volume software encryption which is far more secure. The user’s password is used as the passphrase for encryption using the XTS-AES mode of AES with a 256-bit key. The only users who can unlock an encrypted boot volume are those specifically enabled to do so, and once that boot volume has been unlocked, other users have unlimited access until that Mac is shut down.

Older Intel Core processors don’t have instructions to perform encryption-decryption, and using FileVault 2 with them imposes a significant performance penalty. However, more modern Intel processors such as Intel Core i have instruction support, reducing the performance penalty to around 3%, which can still be noticeable at times, particularly on hard disks.

Software FileVault 2 is the volume encryption available in macOS for internal storage in Intel Macs without T2 chips, and on external storage of all models of Mac: even M1 Macs don’t offer hardware encryption on external storage. If your Intel Mac doesn’t have a T2 chip, this is probably the best integrated whole-volume encryption on offer for HFS+, and its successor for APFS volumes; unlike HFS+, APFS was designed for software encryption from the outset.

The key used to encrypt the volume contents isn’t exposed, but accessed via a series of wrappers, which enables the use of recovery keys if the user password is lost or forgotten. A recovery key or the password is used to unwrap a key encryption key (KEK), which is in turn used to unwrap the volume encryption key (VEK), which is actually used for encryption/decryption. As the file system on the volume is also encrypted, following unwrapping of the KEK and VEK, the next task to access a volume is to decrypt the file system B-tree using the VEK.

T2/M1 hardware encryption

The internal SSD in Macs with T2 chips, and all Apple Silicon Macs, doesn’t use software FileVault, instead relying on the hardware in the SoC for encryption and decryption. This is enabled by the SoC acting as the storage controller for the internal SSD, so all data transferred between the main CPU/memory and internal storage passes through an encryption stage in the ARM processor of the SoC. All Macs with these SoCs, with the exception of the Mac Pro 2019, have internal storage which is soldered into place to make its removal challenging. The Mac Pro 2019 has replaceable internal SSDs, but following replacement new internal storage has to be initialised against that Mac’s T2 chip using Apple Configurator 2.

If a T2-equipped Mac is used with FileVault turned off, the contents of its internal storage are still encrypted, using a VEK protected by a hardware key, and an xART key (to prevent replay attacks). When FileVault is turned on, that adds the protection of the KEK, which is in turn protected by the user password and a hardware key. Because the user password doesn’t determine the VEK (used to encrypt the volume), but is required to unwrap the KEK, and in turn the VEK, the user password can be changed without requiring the volume to be re-encrypted. This also allows the use of recovery keys in case the user password is lost or forgotten.

Encryption keys are handled only in the Secure Enclave, within the T1/T2/M1 SoC, and on Intel Macs they are never exposed to the Intel processor, making their recovery extremely difficult.

When you delete an encrypted volume, the Secure Enclave deletes its VEK and the xART key, which renders the residual volume data inaccessible even to the Secure Enclave itself. This ensures that there is no need to delete or overwrite any residual data from an encrypted volume: once the volume has been deleted, its previous contents are immediately unrecoverable.

Coverage of boot volumes by encryption varies according to the version of macOS. Prior to macOS Catalina, with a single system volume, the whole of that volume is encrypted; in Catalina, both System and Data volumes are encrypted; in Big Sur and later, the Sealed System Volume isn’t encrypted apparently, but the Data volume is. I believe that all Recovery volumes are also unencrypted.

External hardware encryption

Various makes and models of external storage offer their own hardware encryption. For example, many SSDs have a whole-disk encryption option, although macOS doesn’t give ready access to such device-specific features. Storage which isn’t specifically designed to meet recognised security standards should be treated with great suspicion: several specialist assessments of general-purpose SSDs have found vulnerabilities in their encryption.

I’ve tested an iStorage diskAshur SSD which is designed and certified to provide robust hardware encryption. Apart from a small performance penalty, it did what it claimed, which is far more than you’ll ever get from a regular SSD with encryption enabled.