What’s the overhead of using APFS encryption?

Intel Macs with a T2 chip and all Apple silicon Macs offer two types of encryption for APFS volumes: FileVault on the internal SSD encrypts the Data (and, in Catalina, the System) volume using hardware and encryption keys in the Secure Enclave, while APFS Encrypted volumes on other storage use software and store their keys separately. Whether or not you turn FileVault on, the T2 chip and M-series chips always encrypt Data volumes on the internal SSD, so enabling FileVault there incurs no penalty on internal storage.

On all Macs, regardless of processor, using APFS Encrypted volumes brings overhead. If you want to store your backups securely or keep sensitive data safe, that encryption won’t be performed by the T2 chip or the Secure Enclave built into M-series chips.

When Apple first introduced whole-volume encryption, some considered it incurred a significant performance penalty, but more recent reports suggest that may be almost unnoticeable, at around 3-5% or less. This article reports estimates of the effect of reading from and writing to APFS encrypted volumes on three different high-speed Thunderbolt 3 SSDs, when connected direct to a Mac Studio M1 Max, and via a Thunderbolt 4 hub. Speeds were measured using the standard options in my free app Stibium, in each case over 160 files ranging in size from 2 MB to 2 GB, in random order, giving a total of 53 GB of test files.

Direct to TB4 port

Measured speeds, given as GB/s for read / write, were:

  • A – plain APFS 2.8 / 2.2; encrypted 2.7 / 1.8
  • B – plain APFS 3.0 / 2.1; encrypted 2.9 / 2.0
  • C – plain APFS 2.8 / 2.8; encrypted 2.8 / 2.8

Only one write speed shows any significant change, a fall from 2.2 to 1.8 GB/s, with the encrypted volume being 82% of the speed of plain APFS.

Via TB4 hub

Measured speeds in the same units and format were:

  • A – plain APFS 2.7 / 1.5; encrypted 2.7 / 1.2
  • B – plain APFS 2.9 / 1.5; encrypted 2.9 / 1.4
  • C – plain APFS 2.8 / 2.8; encrypted 2.8 / 2.8

Write speeds of both Disks A and B show the same reduction when connected via a Thunderbolt hub as reported previously. However, with encryption, further slowing was seen in Disk A, to 55% of its write speed to plain APFS when connected direct to a port on that Mac.

What is the overhead to encryption?

By chance, the SSDs tested show a full spectrum, ranging from one that read and wrote at a full 2.8 GB/s whether to plain APFS or APFS encrypted, regardless of being connected direct to a port on the Mac, or via a hub. At the other extreme, another SSD read at full speed, but wrote significantly slower, whether direct or via a hub.

What I can’t tell you is how to distinguish these without running tests. However, you only need to measure write speed, and the size of the differences is such that a quick informal test should suffice.

Neither can I explain why some fast, reputable SSDs appear to be liable to write speed reduction when connected via a hub, or encrypted. In theory, the problem could lie anywhere between macOS and the SSD itself, although my suspicions remain with the Thunderbolt controller used in the peripheral. There’s no simple way to tease potential causes apart.

Although these tests were performed using a fast Apple silicon Mac with no other significant load, many Intel processors integrate support for AES encryption into their instruction set, and should deliver good performance when encrypting and decrypting. In most circumstances, reduced performance shouldn’t be a reason for not protecting sensitive data using APFS encrypted volumes.


  • T2 Intel and Apple silicon Macs invariably encrypt the Data volume on their internal SSD; adding the protection of FileVault’s password comes at no cost.
  • Some external SSDs can use APFS encryption without any reduction in performance at all.
  • Other external SSDs may show reduced write speed to APFS encrypted volumes, particularly when they are connected via a hub rather than directly.
  • Currently the only way to tell SSDs apart is to measure their write speeds.
  • In most circumstances, reduced performance shouldn’t be a reason for not using APFS encryption.

I’m very grateful to Thomas for drawing my attention to the quirks of some SSDs with encryption.