hoakley March 3, 2023 Macs, Technology

What’s the overhead of using APFS encryption?

Intel Macs with a T2 chip and all Apple silicon Macs offer two types of encryption for APFS volumes: FileVault on the internal SSD encrypts the Data (and, in Catalina, the System) volume using hardware and encryption keys in the Secure Enclave, while APFS Encrypted volumes on other storage use software and store their keys separately. Whether or not you turn FileVault on, the T2 chip and M-series chips always encrypt Data volumes on the internal SSD, so enabling FileVault there incurs no penalty on internal storage.

On all Macs, regardless of processor, using APFS Encrypted volumes brings overhead. If you want to store your backups securely or keep sensitive data safe, that encryption won’t be performed by the T2 chip or the Secure Enclave built into M-series chips.

When Apple first introduced whole-volume encryption, some considered it incurred a significant performance penalty, but more recent reports suggest that may be almost unnoticeable, at around 3-5% or less. This article reports estimates of the effect of reading from and writing to APFS encrypted volumes on three different high-speed Thunderbolt 3 SSDs, when connected direct to a Mac Studio M1 Max, and via a Thunderbolt 4 hub. Speeds were measured using the standard options in my free app Stibium, in each case over 160 files ranging in size from 2 MB to 2 GB, in random order, giving a total of 53 GB of test files.

Direct to TB4 port

Measured speeds, given as GB/s for read / write, were:

A – plain APFS 2.8 / 2.2; encrypted 2.7 / 1.8
B – plain APFS 3.0 / 2.1; encrypted 2.9 / 2.0
C – plain APFS 2.8 / 2.8; encrypted 2.8 / 2.8

Only one write speed shows any significant change, a fall from 2.2 to 1.8 GB/s, with the encrypted volume being 82% of the speed of plain APFS.

Via TB4 hub

Measured speeds in the same units and format were:

A – plain APFS 2.7 / 1.5; encrypted 2.7 / 1.2
B – plain APFS 2.9 / 1.5; encrypted 2.9 / 1.4
C – plain APFS 2.8 / 2.8; encrypted 2.8 / 2.8

Write speeds of both Disks A and B show the same reduction when connected via a Thunderbolt hub as reported previously. However, with encryption, further slowing was seen in Disk A, to 55% of its write speed to plain APFS when connected direct to a port on that Mac.

What is the overhead to encryption?

By chance, the SSDs tested show a full spectrum, ranging from one that read and wrote at a full 2.8 GB/s whether to plain APFS or APFS encrypted, regardless of being connected direct to a port on the Mac, or via a hub. At the other extreme, another SSD read at full speed, but wrote significantly slower, whether direct or via a hub.

What I can’t tell you is how to distinguish these without running tests. However, you only need to measure write speed, and the size of the differences is such that a quick informal test should suffice.

Neither can I explain why some fast, reputable SSDs appear to be liable to write speed reduction when connected via a hub, or encrypted. In theory, the problem could lie anywhere between macOS and the SSD itself, although my suspicions remain with the Thunderbolt controller used in the peripheral. There’s no simple way to tease potential causes apart.

Although these tests were performed using a fast Apple silicon Mac with no other significant load, many Intel processors integrate support for AES encryption into their instruction set, and should deliver good performance when encrypting and decrypting. In most circumstances, reduced performance shouldn’t be a reason for not protecting sensitive data using APFS encrypted volumes.

Summary

T2 Intel and Apple silicon Macs invariably encrypt the Data volume on their internal SSD; adding the protection of FileVault’s password comes at no cost.
Some external SSDs can use APFS encryption without any reduction in performance at all.
Other external SSDs may show reduced write speed to APFS encrypted volumes, particularly when they are connected via a hub rather than directly.
Currently the only way to tell SSDs apart is to measure their write speeds.
In most circumstances, reduced performance shouldn’t be a reason for not using APFS encryption.

I’m very grateful to Thomas for drawing my attention to the quirks of some SSDs with encryption.

18Comments

Add yours

1

Enzo Vincenzo by Italy on March 3, 2023 at 8:30 am

Thanks Howard. I report my experience with FileVault, hoping to be useful. I state that since I started using it (from macOS Monterey) FileVault has never given problems to the Mac and even a restore from scratch was successful. From Monterey, in fact, onwards I also encrypt the Time Machine disk (3.5” 7,200 rpm disk – external USB 3) and I don’t notice any slowdowns during the backups.
I underline that mine is an iMac 27” late 2013 with i7 CPU, 24 GB RAM and nVidia GTX780M with 4 VRAM; and despite being an “Unsupported Ventura” Mac, with macOS 13.2.1 and OCLP 0.6.2 (Night Build) my iMac performs 110% better than Catalina. So the new “Geekbench 6” tests give me high values (1143 Single-Core and 3867 Multi-Core) even equal to several 2019 and 2020 Macs.
For the record I use OCLP since Big Sur and I’ve never had any problems, but I have to point out that I’m a very nerdy expert user, to the point that in my iMac with Ventura everything works perfectly (including Stage Manager) since I know how to unlock the Kext EFI OCLP “RestrictEvents” to also activate “Live Text” and the remove image backgrounds functionality, as this my OCLP unlock (in /EFI/OC’s “config.plist” file) does not cause problems or Kernel Panic on my iMac. So, only “Continuity Camera” crashes, but I don’t need this feature.
Finally, all the Apps work perfectly in Ventura and much better than with Catalina which in theory would be the last System supported by my iMac. 🙂

LikeLiked by 1 person
- 2
  
  hoakley on March 3, 2023 at 9:45 am
  
  Thank you. OCLP is a real boon to many, and an amazing achievement.
  Howard.
  
  LikeLiked by 1 person
3

Alec L. on March 3, 2023 at 9:32 am

Thanks. What’s the advantage of activating FileVault on a M1/M2 MacBook Air/Pro if the internal SSDs are encrypted anyway? Is FileVault redundant and not needed anymore? Or does it improve security? Or does it make recovery/access more convenient?

LikeLiked by 1 person
- 4
  
  hoakley on March 3, 2023 at 9:42 am
  
  If you leave FileVault turned off, then the encryption of your Data volume uses a machine-generated key for that encryption. The Data volume is automatically unlocked for all users when they log on.
  When you enable FileVault, the same encryption key is used, so no re-encryption takes place. However, it’s now protected so that only users who are authorised FileVault access and enter the correct password to unlock the encrypted volumes can do so.
  It’s thus a major enhancement to security that comes at no cost at all. If you haven’t enabled FileVault, then I strongly recommend that you do so.
  Howard.
  
  LikeLiked by 1 person
5

Duane C. Voy on March 3, 2023 at 1:53 pm

You have also mentioned an unexplained write speed reduction on some SSDs in other articles recently. Is it possible that your selection of Stibium parameters is bumping up against thermal throttling in some individual SSDs?

LikeLiked by 1 person
- 6
  
  hoakley on March 3, 2023 at 3:48 pm
  
  I can say with absolute confidence that those effects are nothing to do with either thermal throttling or SLC cache exhaustion.
  For start, this only occurs in those SSDs when they’re connected to a hub, and not when they’re connected directly to the Mac.
  But this is even clearer if you look back at the graphs in previous articles, such as those against elapsed time here. The throttling occurs from the first writes to the SSD, and doesn’t come on later. It also applies throughout a series of writes lasting around 60 seconds – if that were thermal throttling, then those SSDs wouldn’t be any good. Similarly it’s far too small for it be exhaustion of SLC cache.
  Finally, if any of my three fast SSDs were to suffer thermal throttling, it would be the self-assembled one, whose case has no cooling fins etc. The two commercial SSDs are solid with extensive cooling fins.
  Howard.
  
  LikeLike
7

Simon on March 3, 2023 at 2:16 pm

This is why for backup (TM) I suggest going for much less expensive SATA-based SSDs (along with buying disk and case separately so you know what you’re using). At ~500 MB/s they will still be way faster than HDDs, but you end up paying much less and don’t suffer from throttling based on your hub or thermals (case quality). I couldn’t fathom having paid 4x more but then seeing half of that performance just vanish because of ???.

LikeLiked by 1 person
- 8
  
  hoakley on March 3, 2023 at 3:54 pm
  
  “don’t suffer from throttling based on your hub or thermals”
  Sure, they’re too slow to suffer from thermal throttling. But I haven’t tested any with a TB4 hub, so I simply don’t know whether that does slow their write speeds down.
  For TM backups, all IO is throttled, but I don’t know whether that narrows the gap between SATA and NVMe SSDs, or whether NVMe remain much faster.
  More to the point is whether backups take an acceptable amount of time. That should be true, other than for the first backup, even if you use a hard disk for backup storage. But hard disks aren’t ideal with APFS, so a basic SATA SSD might be a good compromise.
  Howard.
  
  LikeLike
  - 9
    
    Simon on March 3, 2023 at 4:43 pm
    
    I definitely agree with that. There’s no doubt in my mind that an NVMe SSD interfaced to TB4 offers superior performance and for somebody using that as a boot drive for example, I wouldn’t see any real alternative.
    
    But when it comes to throttled TM backups that take place peacefully in the background anyway, the extra cost is IMHO usually just not justified. You can get a quality SATA SSD interfaced to a quality USB3 case for a fraction of the cost. Reliability and performance will still be substantially better than a mechanical HDD, which comes in handy when you do the initial backup or if you ever need to copy back (eg. Migration Assistant).
    
    I can tell you that I have multiple SATA SSDs (various cases, but internally always 1-2 GB Samsung EVO or QVO models) dangling off a CalDigit Elements TB4 hub and I see no difference in throughput (various packet sizes, integrating to ~50 GB per test) between directly attaching to a 14″ MBP and attaching through the hub. My suspicion has always been that while this is a problem for an NVMe drive that can push 2.5 GB/s, for my 500 MB/s SATA SSD no such bottleneck comes into play. Also, it’s worth noting that the bridge in my case for these TM SSDs is USB3, not TB3/4. So if the throttling you’re observing is indeed related to the TB bridge or chipset (which I think I read between the lines you’re suspecting), then it is unlikely to affect a drive interfaced over USB.
    
    LikeLiked by 1 person
    - 10
      
      hoakley on March 3, 2023 at 6:28 pm
      
      My perfect compromise is a ThunderBay 4: four SATA SSDs for non-performance-critical use, connected via TB3 for its reliability.
      Bearing in mind all the problems we’ve had getting USB 3.x to perform properly with Apple silicon Macs. While those seem to be largely resolved at present, TB3 is far more reliable.
      Howard.
      
      LikeLike
- 11
  
  Duncan on March 3, 2023 at 4:31 pm
  
  “I suggest going for much less expensive SATA-based SSDs”
  
  One can often find SATA SSDs at a good discount these days (often of dubious component quality) but after extensive comparison shopping I have found that NVMe SSDs are not significantly more for anything up to 2TB. Above that, the price premium increases, at least for now.
  
  I, personally, am trying to transition all my future storage to M.2 cards, if only to enjoy the 3x performance boost when the rest of the hardware is in sync. I expect to own those drives for a good five years or more, so the investment is worth it.
  
  LikeLiked by 1 person
  - 12
    
    Simon on March 3, 2023 at 4:47 pm
    
    I’d claim more important than SATA vs. NVMe is the bridge, especially in terms of cost. USB bridges – even if of good quality – are just not as performant as TB3/4 bridges which will become relevant if the SSD itself can push >1GB/s. But TB3/4 bridges are of course way more expensive.
    
    And I’d also claim if you get a very fast NVMe SSD and a fancy TB3/4 bridge, the case needs to have some active cooling if you want to be able to exploit that superior performance over prolonged periods of time rather than just in shirt bursts interrupted by longer calm periods.
    
    LikeLiked by 1 person
    - 13
      
      Duncan on March 3, 2023 at 5:01 pm
      
      Well my point is that for roughly the same money (or a slight premium), an investment in M.2 cards will buy the *possibility* of greater performance in some future, improved enclosure, and even throttled superior performance is better than no superior performance. A SATA-based SSD will never get any faster no matter how you connect to it.
      
      M.2 cards used to be exotic, but they are surprisingly mainstream now, at least in the US market. Might as well take advantage of that when possible.
      
      LikeLiked by 1 person
    - 14
      
      hoakley on March 3, 2023 at 6:29 pm
      
      “a fancy TB3/4 bridge”
      Nothing fancy. So long as it support 4-lane PCIe, that’s just standard.
      Howard.
      
      LikeLike
    - 15
      
      hoakley on March 3, 2023 at 6:31 pm
      
      Oh I should add that in my tests with 50-100 GB near-continuous writes, the only SSD that has shown any sign of throttling is the Samsung X5, which is notorious, and there it’s probably SLC cache that presents the wall, not thermal throttling at all.
      Howard.
      
      LikeLike
16

Duncan on March 3, 2023 at 4:35 pm

“Although these tests were performed using a fast Apple silicon Mac with no other significant load, many Intel processors integrate support for AES encryption into their instruction set, and should deliver good performance when encrypting and decrypting.”

This is a little off-topic, but how much does that hardware AES support benefit hash operations, such as with your Dintch utility?

LikeLiked by 1 person
- 17
  
  hoakley on March 3, 2023 at 6:22 pm
  
  It’s a good question. If Apple’s API is used, I suspect it makes good use of whatever is available – Apple is very good at ensuring that, as it does in its Accelerate maths libraries.
  Howard.
  
  LikeLike
18

Michael Tsai - Blog - Overhead of Using APFS Encryption on March 8, 2023 at 7:21 pm

[…] Howard Oakley: […]

LikeLike

·Comments are closed.

Direct to TB4 port

Via TB4 hub

What is the overhead to encryption?

Summary

Share this:

Related