hoakley April 23, 2022 Macs, Technology

Explainer: FileVault

Most of us keep lots of sensitive personal data stored on our Macs. If your Mac is stolen or lost, the last thing you’d want someone else to have is access to all that data. FileVault is the name Apple gives its features which encrypt stored data, so that no one else can gain access to it.

Intel Macs without T2 chips

Since Mac OS X 10.3, when Apple released the first version of FileVault, you’ve been able to encrypt some of the contents of internal storage. In what’s now often referred to as FileVault 1 or Legacy FileVault, only Home folders were encrypted into a sparsebundle. These caused problems with Time Machine backups, and have proved comparatively easy to crack. Even on old Macs, you shouldn’t assume that FileVault 1 provides any significant protection to your data.

FileVault 2 was introduced in Mac OS X 10.7, and provides whole-volume encryption based on the user password. Encryption is performed using the XTS-AES mode of AES with a 256-bit key, by the CPU. All recent Intel processors have instructions to make this easier and quicker, but all data written to an encrypted volume has to be encrypted before it’s written to disk, and all data read from it has to be decrypted before it can be used. This imposes significant overhead of around 3%, which is more noticeable on slower storage such as hard disks, and with slower Macs.

Turning FileVault on and off is quite a pain, as the whole volume has to be encrypted or decrypted in the background, a process which takes many hours or even days. Most users try to avoid doing this too often as a result, so, while FileVault is secure and effective, it isn’t as widely used as it should be.

T2 and M1 hardware encryption

One of Apple’s goals in adding the T2 chip to Intel Macs, and in the design of Apple Silicon chips like the M1 series, is to make encrypted volumes the default. To achieve that, T2 and M1 chips incorporate secure enclaves and perform encryption and decryption in hardware, rather than using CPU cycles.

The T2 chip acts as the storage controller for the internal SSD, so all data transferred between the Intel processor and SSD passes through an encryption stage in the T2’s hardware. All Macs with T2 chips, with the exception of the Mac Pro 2019, have internal storage which is soldered into place to make its removal challenging. The Mac Pro 2019 has replaceable internal SSDs, but following replacement new internal storage has to be initialised against that Mac’s T2 chip using Apple Configurator 2.

When FileVault is disabled, data on protected volumes is still encrypted using a volume encryption key (VEK), which is protected by a hardware key and a xART key used to protect from replay attacks. When FileVault is enabled, the same VEK is used, but it’s protected by a key encryption key (KEK), and the user password is required to unwrap that KEK, so protecting the VEK which is used to perform encryption/decryption. This means that the user can change their password without the volume having to be re-encrypted, and allows the use of special recovery keys in case the user password is lost or forgotten. To protect these keys, they are handled in a secure enclave in T2 and M1 chips. On Intel Macs, they never leave the T2 chip, so are never exposed to the Mac’s Intel processor.

Securely erasing an encrypted volume, also performed when ‘erasing all content and settings’, results in the secure enclave deleting its VEK and the xART key, which renders the residual volume data inaccessible even to the secure enclave itself. This ensures that there is no need to delete or overwrite any residual data from an encrypted volume: once the volume’s encryption key has been deleted, its previous contents are immediately unrecoverable.

Coverage of boot volumes by encryption varies according to the version of macOS. Prior to macOS Catalina, where macOS has a single system volume, the whole of that is encrypted; in Catalina, both System and Data volumes are encrypted; in Big Sur and later, the Signed and Sealed System Volume (SSV) isn’t encrypted, nor are Recovery volumes, but the Data volume is.

External disks

Hardware encryption and FileVault’s ingenious tricks aren’t available for external disks, but APFS was designed to incorporate software encryption from the outset. As with internal SSDs, the key used to encrypt the volume contents isn’t exposed, but accessed via a series of wrappers, which enables the use of recovery keys if the user password is lost or forgotten. This involves a KEK and VEK in a similar manner to FileVault on internal SSDs. As the file system on the volume is also encrypted, after the KEK and VEK have been unwrapped, the next task in accessing an encrypted volume is to decrypt the file system B-tree using the VEK.

Various makes and models of external storage offer their own hardware encryption. For example, many SSDs have a whole-disk encryption option, although macOS doesn’t give ready access to such device-specific features. Storage which isn’t specifically designed to meet recognised security standards should be treated with great suspicion: several specialist assessments of general-purpose SSDs have found vulnerabilities in their encryption. Unless you’re prepared to purchase external storage which is specifically designed and certified to provide robust hardware encryption, such as iStorage products, you’re better off using FileVault with its encrypted APFS volumes.

Summary

On T2 and M1 Macs, enable FileVault, as it provides robust protection of the Data volume on internal storage, without performance penalty.
On Intel Macs without a T2 chip, make an informed decision on FileVault.
Don’t forget to use FileVault on external storage, where needed.
Don’t trust whole-disk encryption on external disks unless it’s designed and certified to provide robust hardware encryption.
FileVault provides an instant and highly effective way to securely erase your data.

56Comments

Add yours

1

David B. on April 23, 2022 at 7:33 am

Hello again!

You didn’t mention it, Howard – so I will! Some years ago, after much frustration, I discovered that when File Vault is active one is unable to start an iMac in Safe Boot mode. It’s possible that your other readers don’t know this and the insight will help /them/ to not ‘tear their hair out’! 😉

Kind regards,
David

LikeLiked by 1 person
- 2
  
  hoakley on April 23, 2022 at 8:33 am
  
  Thank you.
  I’m sorry, that’s no longer correct. You can boot in Safe mode when FileVault is enabled. If you couldn’t, then no T2 or M1 Mac could ever boot in Safe mode, could they?
  Howard.
  
  LikeLike
  - 3
    
    David B. on April 23, 2022 at 9:00 am
    
    Thank you for your reply, Howard.
    
    My iMac is just over 4 years old – iMac18,3. https://everymac.com/ultimate-mac-lookup/?search_keywords=iMac18,3
    
    Do you agree that I *WAS* correct but that matters have since changed?
    Or was there something amiss with my computer?
    
    Thinking cap on, it may have been with my original iMac, a 24 inch one made in late 2008! Memory plays many tricks at my age!
    
    David
    
    LikeLiked by 1 person
    - 4
      
      hoakley on April 23, 2022 at 1:40 pm
      
      I’m sorry, I don’t know. I very seldom used FileVault on Intel Macs before the T2.
      Howard.
      
      LikeLike
    - 5
      
      ninjaturtle45 on April 23, 2022 at 3:06 pm
      
      David,
      
      Something seems to be amiss with your Mac. I have successfully booted an iMac13,2 (with FileVault enabled) into Safe Mode. In this scenario, you should see the login screen twice:
      
      – Once to unlock the boot/data volume
      
      – Again to log yourself in (Safe Boot should now appear in the top right corner, in red text).
      
      What COULD stop you from booting in Safe Mode, however, is a firmware password: https://support.apple.com/en-us/HT204455
      
      LikeLiked by 2 people
    - 6
      
      David B. on April 23, 2022 at 7:00 pm
      
      Hi NT45 – you’ve hit the nail right on the head. It was the firmware password I was thinking of all along! 😭 I sincerely apologise for my mistake.
      
      LikeLiked by 2 people
- 7
  
  Ric Ford on April 23, 2022 at 2:36 pm
  
  I remember booting an Intel Mac in Safe mode in the past with FileVault enabled and seeing “Safe Boot” in red during the boot process, but invoking Safe mode is tricky. I just did some experiments trying to recreate that process.
  
  On a 2017 iMac 5K running Catalina, holding the Shift key at startup and then when hitting Return to enter the FileVault password, I didn’t see a “Safe Mode” alert, but the boot process was radically changed, indicating that Safe mode or some variant had taken effect: startup was much, much slower, and normal workflow after boot exhibited odd anomalies, such as an email app and mouse driver not working.
  
  On a 2015 MacBook Pro 15″ running macOS Mavericks with FileVault enabled, I used the same Shift-key boot procedure which made the boot process very, very, very slow then ended at a login screen where “Safe Boot” was displayed in red towards the right-hand side of the menu bar.
  
  LikeLiked by 1 person
  - 8
    
    Ric Ford on April 23, 2022 at 2:43 pm
    
    I just retested with FileVault-enabled Catalina on the iMac 5K and was able to get Safe Boot in red on the menu bar after using the Shift key at startup and when hitting Return for the startup/FileVault password, so, yes, Safe Boot does work with FileVault enabled (at least in macOS 10.14 and 10.15).
    
    LikeLiked by 1 person
  - 9
    
    hoakley on April 23, 2022 at 3:43 pm
    
    Thank you.
    It certainly wasn’t a known issue with the combination, nor should it have been, given the way that Safe boot works.
    Howard.
    
    LikeLike
10

prairiewalker on April 23, 2022 at 1:16 pm

If I use Filevault on my M1 iMac, are Timemachine backups to external drives still encrypted or do the external drives also have to be under Filevault control? Thanks for this explainer.

LikeLiked by 1 person
- 11
  
  hoakley on April 23, 2022 at 1:33 pm
  
  FileVault and its encryption aren’t set by the content, but by the volume. If you want to have encrypted backups, then the volume that stores those backups must be encrypted.
  When TM is being set up to back up to APFS, if the source volume is encrypted by FileVault, and you select a backup volume which isn’t encrypted, macOS will warn you that you’re going to back up to a volume which isn’t encrypted, and invite you to use an encrypted volume instead.
  Howard.
  
  LikeLike
  - 12
    
    prairiewalker on April 24, 2022 at 11:18 pm
    
    Thanks Howard.
    
    LikeLiked by 1 person
13

Ric Ford on April 23, 2022 at 2:56 pm

You really are hitting some of my favorite topics lately, Howard! 🙂

A few FileVault tips that may be helpful for other folks regarding pre-T1 Intel Macs:

• FileVault encryption time depends on the amount of data on the volume, so encrypting a full volume takes much longer than encrypting an empty one.

• In certain cases, a FileVault encrypted volume may be decrypted without warning, e.g. when installing/updating macOS, so always check encryption status afterwards.

• Apple has also made it quite difficult in recent macOS versions to clone a bootable system to an encrypted volume (as documented by Bombich Software in its Carbon Copy Cloner help documents).

• Remarkably, FileVault encryption can take place “on the fly” as you’re using a drive.

Due to all that, you may save a lot of time when cloning/migrating systems by first installing/migrating a very minimal system to an unencrypted volume, then turning on FileVault, and finally migrating the bulk of your files (e.g. with Migration Assistant).

Non-boot volumes can be encrypted/decrypted on the fly from the Finder, by right-clicking the disk icon and choosing Decrypt/Encrypt from the pop-up menu.

One last tip for “power users”:

The command-line program “fdesetup” offers more capability than the very limited functionality of System Preferences > Security > FileVault. (Note that it requires the “sudo” command for needed priviliges.)

LikeLiked by 1 person
- 14
  
  ninjaturtle45 on April 23, 2022 at 3:35 pm
  
  “In certain cases, a FileVault encrypted volume may be decrypted without warning, e.g. when installing/updating macOS, so always check encryption status afterwards.”
  
  Can you please provide some examples where this could happen? I’ve never ran into this before on an Intel Mac without the T2 Security Chip.
  
  Also, “fdesetup” for the win 🙂 “diskutil apfs” and “diskutil corestorage” can also be used to manage encryption where fdesetup can’t reach (beyond the boot volume).
  
  LikeLiked by 1 person
  - 15
    
    Ric Ford on April 23, 2022 at 3:51 pm
    
    “Can you please provide some examples where this could happen?”
    
    I was shocked years ago when an Apple OS X update did this and documented it at the time. It seems to be rare in recent years but is always worth double-checking.
    
    The common problem now is being forced to install/migrate into an unencypted volume by security restrictions of the latest macOS versions then having to remember to re-encrypt your drive after installation/migration. (Again, this is documented in Bombich’s excellent, wide-ranging CCC documentation.)
    
    In either case, if we care about securing sensitive information, we need to check that the drives are encrypted after an installation/migration process. Fortunately, as Howard notes, M1 Macs make FileVault encryption/decryption of internal drives super-fast in comparison to the time required on Intel Mac systems.
    
    LikeLiked by 1 person
    - 16
      
      Ric Ford on April 23, 2022 at 4:00 pm
      
      “The common problem now is being forced to install/migrate into an unencypted volume by security restrictions of the latest macOS versions then having to remember to re-encrypt your drive after installation/migration. (Again, this is documented in Bombich’s excellent, wide-ranging CCC documentation.)”
      
      To clarify, I’m talking more about *cloning* than installing. In the past, we could use CCC to easilly clone a FileVault-encrypted boot volume to another one on a different drive. That sort of cloning fails or has security problems in the most recent macOS versions (as Bombich/CCC documents).
      
      *Installing* macOS on an encrypted volume (rather than cloning) may be fine, but I haven’t really tested all the permutations.
      
      LikeLiked by 1 person
    - 17
      
      hoakley on April 23, 2022 at 4:03 pm
      
      Some users who have FileVault turned on in older versions of macOS have to turn it off before they can upgrade to Big Sur or Monterey, I gather. Unfortunately, macOS won’t do this for itself, and it can cause serious problems, including failed upgrades. Sometimes you can work around those by performing the upgrade in Safe mode (which is one of the purposes of Safe mode), or performing a fresh install and migrating from the old system.
      So yes, FileVault can be interesting with macOS upgrades.
      Howard.
      
      LikeLiked by 1 person
    - 18
      
      Ric Ford on May 21, 2022 at 3:49 am
      
      The macOS Monterey (12.4) installer refuses to install to a freshly-erased APFS partition that is formatted as APFS (Encrypted) in Disk Utility (i.e. FileVault protected).
      
      You may not install to this volume because it has a disk password
      
      And the only reason I’m reinstalling is because macOS wouldn’t update macOS 12.0.1 to macOS 12.4 on an external drive, putting up errors about not being an “owner” (of what?), asking for a new owner, and refusing to accept that, either.
      
      Ric
      
      LikeLiked by 1 person
- 19
  
  hoakley on April 23, 2022 at 3:48 pm
  
  Thank you.
  Because the System volume isn’t encrypted in Big Sur and Monterey, it should now be fine to install straight to an encrypted minimal Data volume, rather than having to wait to turn FileVault on.
  Howard.
  
  LikeLike
20

callmedave on April 23, 2022 at 8:13 pm

Apologies if this is obvious, but how do you use FileVault on external storage?

An external APFS drive doesn’t show in the File Vault tab of the Security & Privacy preference pane, and secondary-clicking on an external drive’s _volume_ in the Finder and selecting “Encrypt” displays the same encryption dialog boxes we’ve had forever with Password/Verify/Hint .

If I use
Disk Utility->Show All Devices->Physical Storage->Erase->GUID->APFS (Encrypted)
I get the same simple trio of Password/Verify/Hint. The _volume_ that gets created is shown in Disk Utility as “APFS Volume • APFS (Encrypted)” but if I add a new volume to the container it’s just APFS; not encrypted.

What am I missing here?

LikeLiked by 1 person
- 21
  
  hoakley on April 23, 2022 at 8:26 pm
  
  On external disks, FileVault is APFS Encrypted, that’s all. Simply create your APFS encrypted volume and, well, use it – it’s encrypted.
  Howard.
  
  LikeLiked by 1 person
22

Milo on April 25, 2022 at 1:05 pm

Maybe it was not your intention, but it sounds like you are recommending to not use FileVault on Intel Macs. While FileVault on T2 and M1 Macs is definitely more advanced, I never had problems with FileVault encryption on older Intel Macs over the years. Even changing passwords is rather painless. You don’t have to reencrypt the whole drive for that at all.

LikeLiked by 1 person
- 23
  
  hoakley on April 25, 2022 at 1:58 pm
  
  Thank you.
  Please re-read my summary, where I write:
  “On Intel Macs without a T2 chip, make an informed decision on FileVault.”
  That isn’t a recommendation to not use it. It’s a recommendation to think carefully about its pros and cons. On pre-T2 Intel Macs, it isn’t a free lunch. It does carry a small overhead, encryption and decryption (should you need) take time to perform, particularly if you have a large amount of data. And, because most internal disks in those Macs are removable, it’s not as secure as in T2 and M1 models.
  So you need to make that decision. On a T2 or M1 Mac, there are essentially no cons at all, and even more pros.
  The reason that you don’t have to re-encrypt when changing passwords is that the password isn’t used for the encryption, but to give access to the Volume Encryption Key (VEK) via the Key Encryption Key (KEK), as explained.
  Howard.
  
  LikeLike
  - 24
    
    Milo on April 25, 2022 at 4:45 pm
    
    I just think that under most circumstances it’s a good idea to enable FileVault on Intel Macs, especially if they are portable and used outside your home. Three percent overhead is hardly noticeable and in exchange gives you peace of mind should you loose your Mac or if it gets stolen.
    
    LikeLiked by 2 people
    - 25
      
      hoakley on April 25, 2022 at 10:12 pm
      
      Thank you.
      I never used FileVault on my old iMacs here at home, but did use it for a while on notebooks. Encryption and decryption were a real pain on a MacBook Air.
      Howard.
      
      LikeLike
26

Michele Galvagno on May 3, 2022 at 7:10 am

How does one activate FileVault for external disks?
Does that need a separate password for each one of them? If so, will it be asked every time one connects them?

LikeLiked by 1 person
- 27
  
  hoakley on May 3, 2022 at 7:34 am
  
  Format the volume as APFS (Encrypted).
  Yes, they have to have individual passwords, although there’s nothing to stop you from using the same password for each of them. After all, that’s the whole point of encrypting them, isn’t it? If they didn’t require a password to access them, then that encryption wouldn’t provide any protection, would it?
  Howard.
  
  LikeLiked by 1 person
  - 28
    
    Michele Galvagno on May 3, 2022 at 7:36 am
    
    Absolutely right.
    Issue is that if the volume already contains content, formatting it would require moving its data to another disk and then back…
    
    LikeLiked by 1 person
    - 29
      
      hoakley on May 3, 2022 at 7:39 am
      
      No it doesn’t. I don’t think you can encrypt an existing APFS volume, although I could be wrong on that.
      What you can do is create an encrypted volume within the same container, and move files from the unencrypted to the encrypted volume, sharing the same free space. For many, that can be a better solution, as they may wish to retain some of the original volume unencrypted.
      Howard.
      
      LikeLiked by 1 person
    - 30
      
      Michele Galvagno on May 3, 2022 at 7:51 am
      
      So… Disk Utility > new volume > APFS (Encrypted). Will they automatically share free space or is there an option for that?
      
      LikeLiked by 1 person
    - 31
      
      hoakley on May 3, 2022 at 8:06 am
      
      They share free space if the two volumes are both APFS and are within the same container. APFS volumes can’t be created in the same ‘container’ as HFS+ volumes, because HFS+ volumes are in effect their own container.
      Howard.
      
      LikeLiked by 1 person
    - 32
      
      hoakley on May 3, 2022 at 7:55 am
      
      No it doesn’t.
      1. Add a new volume alongside the existing one, in the same container. Those volumes now share the same free space within that container.
      2. Move the files you want encrypted from the original unencrypted volume to the new encrypted one.
      3. As they’re all within the same container, there’s essentially no change in free space in that container or disk.
      Yes, they still have to be copied from one file system to another, which takes time. But they’re encrypted as part of that process, which had to happen anyway. You can’t encrypt them in place.
      Howard.
      
      LikeLiked by 1 person
    - 33
      
      Michele Galvagno on May 3, 2022 at 7:56 am
      
      My use case would be for a spinning HD, which I think it’s not in APFS, so it may be a bit more complicated to do, but will look into it.
      Thanks
      
      LikeLiked by 1 person
    - 34
      
      hoakley on May 3, 2022 at 8:01 am
      
      If the original is in HFS+, then that’s effectively in its own container. If you’re intending storing its contents encrypted, then I’d strongly recommend that you use APFS, and that you transfer them to an SSD if possible.
      Howard.
      
      LikeLiked by 1 person
    - 35
      
      Michele Galvagno on May 3, 2022 at 8:31 am
      
      I will, just I still have a couple of years of data recovery plan included. It is an enterprise-class HDD from LaCiE, which I bought when my last TM disk tried to destroy everything I had there AND on my Mac (boot loop and much more)! It was scary indeed, as not even Apple Store support could suggest anything apart from formatting!
      Then… connecting the disk to an old 2009 MBP, it worked! It copied everything, and I could format and restore!
      Good old times 😅
      
      LikeLiked by 1 person
  - 36
    
    Ric Ford on May 3, 2022 at 1:01 pm
    
    “I don’t think you can encrypt an existing APFS volume, although I could be wrong on that.”
    
    I don’t think you can with Disk Utility, but you can certainly
    
    1) encrypt an unencrypted boot volume by enabling FileVault in System Preferences > Security > FileVault
    
    and
    
    2) right-click on any mounted volume in the Finder to encrypt it (if not encrypted) or decrypt it (if encrypted)
    
    You do _not_ have to reformat a volume to encrypt it!
    
    Ric
    
    LikeLiked by 1 person
    - 37
      
      Ric Ford on May 3, 2022 at 1:05 pm
      
      Apple documents it here:
      
      https://support.apple.com/guide/mac-help/protect-your-mac-information-with-encryption-mh40593/mac
      
      “In the Finder on your Mac, open a window, then Control-click the item you want to encrypt in the sidebar.
      
      Choose Encrypt [item name] from the shortcut menu.
      
      Create a password for the disk and click Encrypt Disk.”
      
      LikeLiked by 1 person
    - 38
      
      Ric Ford on May 3, 2022 at 1:07 pm
      
      Apple describes the right-click (Control-click) encryption operations here:
      
      https://support.apple.com/guide/mac-help/protect-your-mac-information-with-encryption-mh40593/mac
      
      In the Finder on your Mac, open a window, then Control-click the item you want to encrypt in the sidebar.
      
      Choose Encrypt [item name] from the shortcut menu.
      
      Create a password for the disk and click Encrypt Disk.
      
      LikeLiked by 1 person
    - 39
      
      hoakley on May 3, 2022 at 1:17 pm
      
      Thank you, Ric. It didn’t take long for you to prove how wrong I was!
      However, as you remark, this isn’t a feature offered by Disk Utility, which given its name, seems something of a serious omission.
      Howard.
      
      LikeLike
40

Ric Ford on May 7, 2022 at 7:33 pm

Hi, Howard –

As I’m currently experimenting with a new M1 MBP 14 and FileVault, I discovered an unexpected side-effect of enabling FileVault: it blocks access to startup options (Recovery etc.) unless you have the password.

Apple also notes some other changes that occur (without notice) when enabling FileVault.

https://support.apple.com/guide/mac-help/how-does-filevault-encryption-work-on-a-mac-flvlt001/12.0/mac/12.0

To ensure security when you turn on FileVault, other security features are also turned on. For example, when you turn on FileVault, you need a password to log in when your Mac is in sleep, or after leaving the screen saver. After the initial startup, only users that an administrator enables to use FileVault can log in.

LikeLiked by 1 person
- 41
  
  Ric Ford on May 7, 2022 at 7:38 pm
  
  I also encountered one other FileVault issue, where I could only enable and disable FileVault from the first account (admin account) created on the new computer and not from admin accounts that I added later. (I’d be interested to know if others can confirm this issue.)
  
  Ric
  
  LikeLiked by 1 person
  - 42
    
    hoakley on May 7, 2022 at 7:41 pm
    
    I think that’s correct behaviour too.
    Howard.
    
    LikeLike
    - 43
      
      Ric Ford on May 7, 2022 at 7:45 pm
      
      “Correct”? I didn’t see it documented anywhere by Apple (but perhaps I’m asking too much…).
      
      Ric
      
      LikeLiked by 1 person
    - 44
      
      hoakley on May 7, 2022 at 8:24 pm
      
      Isn’t that what you get in T2 Secure Boot as well? (Sorry, I so seldom enter Recovery on my iMac Pro.)
      Howard.
      
      LikeLike
- 45
  
  hoakley on May 7, 2022 at 7:41 pm
  
  I don’t think that’s correct. You can still start up in Recovery, which isn’t encrypted. However, any operation which requires access to your encrypted Data volume requires the password for that volume to be accessed. But isn’t that what’s supposed to happen anyway?
  The other security features are turned on, yes. And you can (as I always do) turn them off again. And the restriction on who can access an encrypted volume is standard too – an admin user can grant other users access via their passwords.
  I’m not sure what the problem is?
  Howard.
  
  LikeLike
  - 46
    
    Ric Ford on May 7, 2022 at 7:50 pm
    
    “I don’t think that’s correct. You can still start up in Recovery, which isn’t encrypted.”
    
    Here’s what happens:
    
    1) Hold power button at start for options
    2) Choose Options when it appears
    3) “Select a user you know the password for: [click Next]
    4) Enter the password for [user]:
    
    Does that not happen for other folks?
    
    Ric
    
    LikeLiked by 1 person
    - 47
      
      hoakley on May 7, 2022 at 8:26 pm
      
      That’s correct. That’s logging in – a mandatory requirement for Secure Boot. If you didn’t have to do that, anyone could steal your Mac, reformat its active system, install macOS, and sell it. I thought that was also standard for T2 Macs in Secure Boot, but maybe I’m wrong.
      Howard.
      
      LikeLike
    - 48
      
      Ric Ford on May 7, 2022 at 9:49 pm
      
      “That’s logging in – a mandatory requirement for Secure Boot. If you didn’t have to do that, anyone could steal your Mac, reformat its active system, install macOS, and sell it.”
      
      Yes, but you only get that protection by first enabling FileVault, right? And Apple defaults to FileVault being disabled, creating that exact exposure for users who don’t know any better.
      
      “I thought that was also standard for T2 Macs in Secure Boot, but maybe I’m wrong.”
      
      I don’t have any T2 Macs, so I’m not a good person to ask… 🙂
      
      Ric
      
      LikeLiked by 1 person
    - 49
      
      hoakley on May 7, 2022 at 10:10 pm
      
      I’ve always turned FileVault on, on T2 and M1 Macs, so I haven’t a clue whether that login has anything to do with them. I don’t think it has, as it doesn’t unlock the protected volume, something you’ll be prompted to do when its access is needed later.
      Much of this is explained in detail in the Apple Platform Security guide – not a document that users are likely to come across, but an invaluable compendium of information about FileVault, Secure Boot etc.
      Howard.
      
      LikeLike
50

michaelsschmitt on September 11, 2022 at 8:37 pm

I getting a weird FileVault initial encryption problem that I’m unable to find any mention of anywhere…

I’m trying to encrypt a Catalina clone on an external HDD drive. I started the encryption while it was booted on that drive, now I’m trying to get it to finish it. It encrypted for a while, then stopped, changing to as status of “Yes (Unlocked)” — but there’s no way it actually encrypted all 1.5 TB.

When I unmount, the status changes to 0%, so it knows it isn’t encrypted. But when I mount it again, it starts at 5%, but then in a minute changes back to Yes. Disk Utility First Aid says the drive is OK. I have the same result if I connect the drive to either of my two (Catalina) Macs.

One thing I noticed: there are two Time Machine snapshots on the drive, apparently taken while I was booted on the drive, even though I didn’t have the Time Machine backup drive connected. Does this mean the snapshots are confusing FileVault? Such as, when mounted it is just encrypting the blocks that were changed in the snapshot, but not the blocks on the original drive before the snapshots?

I tried deleting the snapshots but tmutil just says “Failed to delete local snapshot”, without any other explanation.

LikeLiked by 1 person
- 51
  
  hoakley on September 11, 2022 at 9:07 pm
  
  I’m sorry to hear that. As it’s two years since I last ran Catalina, I’m not sure that I can suggest much.
  However, I note that you’re trying to enable APFS encryption on an external hard disk, after you’ve cloned a boot volume group to it. That seems like a recipe for trouble. Add TM making snapshots while that’s going on, and perhaps it’s not surprising.
  I’m not sure about Catalina, but the System volume in Big Sur and later isn’t encrypted when File Vault is turned on, only the Data volume. Perhaps if you were to try encrypting only the Data volume and with TM turned off, you’d have a better chance of success?
  I wish you success anyway,
  Howard.
  
  LikeLike
  - 52
    
    michaelsschmitt on September 11, 2022 at 9:21 pm
    
    I thought that the only way to encrypt a clone of a Catalina volume was to boot to it (which is excruciating) and then turn on FileVault. Which, of course, in Catalina encrypts both the system and data volumes.
    
    I’ve succeeded doing this already on 4 other drives: 3 HDD and 1 SDD. Just this one is acting strange.
    
    But if it is snapshot related, maybe I do have to turn Time Machine off. I know I did that on some of the other drives, but not sure if I did on all of them.
    
    Perhaps the fact that even though the data isn’t fully encrypted, the requirement to unlock the volume before use is a sufficient deterrent against data theft.
    
    It’s all a moot point, since I’ll be erasing and re-cloning when I upgrade to Big Sur. I’m only still on Catalina because I was held back on Mojave due to 32-bit code for a long time, and just now upgraded. (I don’t like skipping OS versions.)
    
    LikeLiked by 1 person
    - 53
      
      hoakley on September 11, 2022 at 10:17 pm
      
      I wish you success.
      Howard.
      
      LikeLike
54

Theorist on September 24, 2022 at 9:50 pm

Is the following correct?:

It’s my understanding that a T2 chip isn’t merely a security “gatekeeper”, but is actually dedicated hardware that performs the encryption/decryption—thus providing a significant speedup vs. a T1 Mac, because you’re encrypting with dedicated hardware rather than with the CPU+software.

Hence even though an external drive on a T2 Mac isn’t “hardware encrypted” in the sense that it has that level of security protection, it is hardware encrypted (and decrypted) in the sense that encryption/decryption even for external drives is done in the T2 chip, thus significantly reducing the performance penalty for encryption vs. what would be seen with an external drive on a T1 Mac.

Consistent with this, for a SanDisk Extreme V2, both Blackmagic and Amorphous show a 35%–40% performance penalty (calculated as the est. increase in time for an operation*) for sequential writes when attached to my 2019 (T1) iMac. By contrast, a poster on MacRumors reported an ~10% penalty with that same external drive when attached to an M1 MacBook Pro.

Interestingly, when I measure my internal drive (an aftermarket 2 TB WD SN850), I don’t see significant penalties for sequential reads/writes (0%–11%, depending on the specific measurement). But for randoms (and randoms are what matter most for an internal drive, if you care about how responsive your computer feels), I’m seeing est. time increases of 20%–80%.

*100 x |1 – (speed w/o encryption)/(speed w/ encryption)|

LikeLiked by 1 person
- 55
  
  hoakley on September 25, 2022 at 6:58 am
  
  Well, Apple states very clearly in the current Platform Security Guide:
  “Encryption of removable storage devices doesn’t utilise the security capabilities of the Secure Enclave, and its encryption is performed in the same manner as an Intel-based Mac without the T2 chip.”
  Detailed explanations of how FileVault is implemented for internal storage in T2 and M1 chips is that the encryption stage is actually built into the disk controller part of the chip, which only makes hardware acceleration available to SSDs which are accessed by that disk controller.
  And your 2019 iMac doesn’t have a T1, which was used only briefly for MacBook Pros around 2017. The first iMac with a T2 was the 2020 model,, soon to be replaced in 2021 by the M1 iMac.
  Perhaps you need more appropriate benchmarks, or they’re looking at other differences, perhaps?
  Howard.
  
  LikeLike
  - 56
    
    Theorist on September 25, 2022 at 9:12 am
    
    Thanks for the correction about the T1 chip [wish my iMac had the T2, so I could meet the HDCP requirements and watch Netflix in 4k 😉 ], and for the answer about how encryption works for external drives with all Macs.
    
    Unfortunately, I don’t have an M1 so I can do the test myself and ensure it’s done consistently. But it’s possible what the MR member reported is accurate: Since no Mac does hardware encryption of externals, this task is performed by the CPU + software. And the CPU on his M1 may be much faster for this task than the Coffee Lake i9 on my iMac. If so, that would explain why I see a much larger encryption penalty than he does.
    
    LikeLiked by 1 person