hoakley March 31, 2023 Macs, Technology

Why you should enable FileVault

One of the features of all modern Macs, whether they have Intel processors with a T2 chip, or are Apple silicon models, is that they all encrypt the Data volume on their internal storage. So why should you enable FileVault when the volume is already encrypted? This article explains the difference, and why every Mac running recent macOS should have FileVault enabled on its startup Data volume.

Intel Macs without a T2 chip

The situation is clearest in Intel Macs without a T2 chip, as by default they don’t encrypt any volume. As they can be booted from an external disk, anyone who gets hold of that Mac, even for a few minutes, can steal what they want from it. Although encryption does impose a small overhead, all recent Intel processors have instructions that accelerate it. You’re unlikely to notice the difference in performance, although initial encryption can take many hours for larger volumes. If you’re planning for a clean install of macOS, that doesn’t matter, as you can enable FileVault before you migrate anything to it, when encryption is quickest.

Intel Macs with a T2 chip and Apple silicon Macs

The Data volume on the internal SSD is always encrypted, and can’t be run unencrypted. Although this might suggest that FileVault is superfluous, it adds valuable protection at absolutely no cost.

Default encryption with FileVault turned off uses two keys generated internally, to protect the key used to perform the encryption of the volume, known as the Volume Encryption Key or VEK. While these keys are protected in the Secure Enclave, they don’t rely on any external secret such as a password.

With FileVault turned on, the same VEK is used, so the volume doesn’t have to be decrypted and re-encrypted to use FileVault, but the VEK is protected by additional encryption using your password with a hardware key. Without the user password, no decryption can be performed, even if the SSD is removed from the Mac. You can also change your password at any time without that requiring decryption and re-encryption. Best of all, there’s no overhead in using FileVault, as exactly the same encryption and decryption is performed using the same VEK, it’s just that accessing the VEK requires your password. Apple explains this fully in its Platform Security Guide.

Bootable external disks

These are often forgotten, although as external storage can be much more likely to be lost or stolen, you should normally enable FileVault to cover the Data volume, and use APFS (Encrypted) volumes to store any other data.

Contrary to rumour, FileVault is fully supported on bootable external disks for Apple silicon Macs. To enable it, start your Mac up from its external disk, open Privacy & Security settings, and at its foot click on the Turn On… button.

filevault1

You’ll then be prompted to choose how to access its Recovery Key. If you don’t opt for iCloud, the key will be displayed for you to take a screenshot and make a copy to store securely elsewhere.

filevault2

With a near-empty Data volume, encryption takes but a few seconds.

filevault3

SilentKnight should then give your Mac and its system a clean bill of health.

filevault4

Encryption overhead remains small, and shouldn’t be noticeable on a reasonably fast external SSD connected by Thunderbolt. In my case, read performance fell from 2.8 GB/s best speed to 2.6 GB/s with FileVault, and write speed from 2.2 GB/s to 1.8 GB/s. If you want better performance, then you should instead be booting from your Mac’s internal SSD.

Time Machine backup disks

When you first set up Time Machine backups to APFS storage, macOS now encourages you to use APFS (Case-sensitive, encrypted) format. This is most important for backup storage that you might take with a notebook, but it makes good sense to encrypt those backups whatever.

Lightweight Virtual Machines

Yes, you can enable FileVault in VMs running on Apple silicon Macs using lightweight virtualisation. If you process sensitive data and your VM is kept on external storage that isn’t formatted in APFS (Encrypted), then this should be a good way to protect that data.

Summary

Unless there’s a good and sound reason, enable FileVault on your Mac.
Wherever you store potentially sensitive data, ensure it’s either protected by FileVault or that volume is formatted APFS (Encrypted).

30Comments

Add yours

1

Old Coot on March 31, 2023 at 6:46 am

I might be paranoid, but I have also encrypted my Carbon Copy Cloner on my external SSD. I found it by mistake but have used it ever since, on the Desktop icon for CCC after right-clicking on it. I also found a niffy little app called Pareto Security ( https://github.com/ParetoSecurity/pareto-mac/releases/tag/1.7.61) that shows what is and isn’t locked down on Ventura.

LikeLiked by 2 people
- 2
  
  hoakley on March 31, 2023 at 8:00 am
  
  Thank you. Yes, the same applies to any backups that contain potentially sensitive data. As far as I’m aware, though, Time Machine is the only one that actually encourages you to encrypt its backup storage.
  Howard.
  
  LikeLiked by 1 person
3

Ed on March 31, 2023 at 6:52 am

There was one compelling reason for me to disable FileVault: third-party bluetooth keyboards couldn’t be used to login after reboot with FileVault enabled. (Or at least that was the case with my Logitech K780.) But that was solved in Ventura!

LikeLiked by 2 people
- 4
  
  J on March 31, 2023 at 10:10 am
  
  Similarly, when FileVault is enabled on a headless Macs, like my Mac Mini, screen sharing can’t connect to it after it reboots, so you have to connect a monitor and keyboard to the headless Mac Mini after every reboot if FileVault is enabled. I have FileVault enabled everywhere else except on headless Mac Minis that rely on Screen Sharing from another Mac.
  
  LikeLiked by 3 people
  - 5
    
    hoakley on March 31, 2023 at 10:58 am
    
    Yes: that’s in effect a server, and you need to protect its private data by other means, such as encrypted volumes.
    Howard.
    
    LikeLiked by 2 people
  - 6
    
    Simon on March 31, 2023 at 1:43 pm
    
    Only if an unscheduled reboot happens. If you are rebooting your headless FV secured Mac, there’s a simple tool.
    
    sudo fdesetup authrestart
    
    LikeLiked by 2 people
    - 7
      
      hoakley on March 31, 2023 at 1:52 pm
      
      Thank you. I wrote all about it just recently. Unfortunately, it’s only good for controlled reboots.
      Howard.
      
      LikeLiked by 1 person
    - 8
      
      J on April 1, 2023 at 12:23 am
      
      That’s a hot tip. Thanks.
      
      As far as I know, it isn’t currently possible to manually schedule checking and installing macOS updates or schedule a restart that would automatically include pending macOS updates.
      
      Meanwhile, I like the advice of encrypted volumes on headless Macs sans FV. Encrypted DMGs are good enough for me so far.
      
      LikeLiked by 1 person
    - 9
      
      hoakley on April 1, 2023 at 12:01 pm
      
      You can use the command tool softwareupdate to check for and install updates, although I wouldn’t recommend it for macOS updates as such. There’s also user interaction required on Apple silicon Macs. I don’t know if management, such as MDM, could offer something better, though.
      Howard.
      
      LikeLike
10

prehensileblog on March 31, 2023 at 7:38 am

I wanted to mention one other side effect, unless I’ve missed it in the article (It’s explained in [FileVault instructions](https://support.apple.com/en-us/HT204837)). If, by chance, you still have automatic login enabled, that is no longer available for any user when FileVault is enabled.

LikeLiked by 2 people
- 11
  
  hoakley on March 31, 2023 at 8:04 am
  
  Thank you. It’s not a side-effect, but part of the feature. If you think about it for a moment, any form of encryption that doesn’t require entry of a valid password doesn’t provide much (if any) protection – and that’s the whole reason for enabling FileVault rather than leaving the default machine encryption running.
  No Mac containing any sensitive or personal data should ever have automatic login enabled anyway.
  Howard.
  
  LikeLiked by 1 person
12

Martin on March 31, 2023 at 7:57 am

I can’t use FileVault on my Mac Mini Plex Server because if I have to reboot it remotely or it crashes, I can’t login again without being there physically. FileVault prevents remote access via AnyDesk or VNC.

LikeLiked by 2 people
- 13
  
  hoakley on March 31, 2023 at 8:06 am
  
  Thank you.
  Servers are different, of course, and require separate protection of all sensitive data, but normally using volume encryption rather than FileVault.
  Howard.
  
  LikeLiked by 1 person
14

Simon on March 31, 2023 at 1:46 pm

Ha! Now I have to wonder if my automount troubles with various external SSDs used for TM might have something to do with the fact that I always encrypt these volumes. As the article points out, I always make sure to encrypt these TM backups due to their sensitive contents so I don’t have a control lying around. Any hunch if the automount issues (see yesterday’s post) could be related not to TB/USB or TM, but due to the fact that these volumes are APFS encrypted?

LikeLiked by 2 people
- 15
  
  hoakley on March 31, 2023 at 1:57 pm
  
  Funnily enough, mounting APFS encrypted volumes is one of the next topics I’m going to cover in my series here, possibly as early as Monday morning. How do you get your APFS encrypted volumes to automount?
  Howard.
  
  LikeLiked by 1 person
  - 16
    
    Simon on March 31, 2023 at 6:11 pm
    
    Disk encyption password is stored in Keychain. When it works, it’s all seamless and beautiful. It’s just that every once in a while the automount doesn’t work. Then I have to launch Disk Utility (which of course shows the drive’s there) and manually mount the drive from there. It will then mount just fine and work as per usual. There’s nothing that appears wrong with any of these drives or their TM functionality, it’s just that for some inexplicable (at least right now to me) reason, every once in a while upon being connected to the Mac, they won’t get mounted like they should.
    
    LikeLiked by 2 people
    - 17
      
      hoakley on March 31, 2023 at 7:34 pm
      
      That’s odd. Maybe a little trip in the log would be worthwhile after a mount failure, to see whether there are any clues there.
      Howard.
      
      LikeLiked by 1 person
18

Enzo Vincenzo on March 31, 2023 at 6:37 pm

Thanks Howard and thanks everyone for the details!
I learned more from this thread than from what Apple says about FileVault!
I add that until two years ago I feared that FileVault would slow down the Mac and I discovered, however, that “almost almost” FV makes it smoother and faster; perhaps because by codifying the Data he puts them in an ordered succession?… Of course, in Ventura I now use FileVault with Time Machine and even if the external HD is mechanical it works very well.

LikeLiked by 1 person
- 19
  
  hoakley on March 31, 2023 at 7:34 pm
  
  Thank you.
  Howard.
  
  LikeLiked by 1 person
20

almeath on April 1, 2023 at 12:48 am

It feels a bit strange that my 2019 iMac is less than 4 years old, and yet it is not considered a modern Mac. It must have been the last Intel Mac released without a T2 chip. The main drawback is that all the encryption has to happen in software, so there is a perceptible performance hit. On the other hand, I do not have to suffer any nerve wracking updates where the Mac does not respond for minutes on end.

LikeLiked by 1 person
- 21
  
  hoakley on April 1, 2023 at 12:02 pm
  
  Sadly, Apple slipped badly in adding T2 chips to iMacs. It’s odd, because the iMac Pro was one of the first two Macs to get T2 chips.
  Howard.
  
  LikeLike
22

Michele Galvagno on May 31, 2023 at 1:26 pm

Thanks for this!
Assuming one gets a new Apple Silicon Mac today, at what point would you suggest turning FileVault on? Does it happen during configuration and setup, or is it a setting buried into System Settings?

LikeLiked by 1 person
- 23
  
  hoakley on May 31, 2023 at 2:42 pm
  
  I don’t recall being invited to enable it during personalisation. It’s easy to do, and of course doesn’t lead to any re-encryption like it used to before the T2 chip: when you do your initial setup in System Settings, open Privacy & Security and click on the button to enable File Vault. That’s it.
  Does this mean a new Mac is imminent?
  Howard.
  
  LikeLike
  - 24
    
    Michele Galvagno on May 31, 2023 at 3:11 pm
    
    Thanks for specifying.
    Sadly the Mac is not yet coming. I am trying to stretch the wait until M3Pro/Max MacBook Pro comes (whenever it is).
    To sweeten the pill, I’ve just discovered that Sibelius uses just ONE core of the CPU in any case, so there is marginally any advantage in upgrading because of that. More RAM would help, but only during playback, not during score editing.
    The Adobe suite would benefit more, but I will be patient!
    
    LikeLiked by 1 person
    - 25
      
      hoakley on May 31, 2023 at 8:13 pm
      
      I took a look at discussion about Sibelius’ bad habits. It appears inexcusable that after all this time it’s incapable of getting better out of the multicore processors we’ve been using for the last twenty years and more. Even my little free apps do better than that!
      Howard.
      
      LikeLiked by 1 person
    - 26
      
      Michele Galvagno on May 31, 2023 at 8:17 pm
      
      From what they told me, it seems that it is very difficult to make an app originally written for single core CPUs to start using parallel computing. That is, without trashing the whole app and rewriting it—which would bring a whole lot of advantages beside this, btw… I don’t know if this is true. All I know is that it is developed on Windows and then ported via the Qt framework.
      
      Right now I’m working on an opera, 115 staves, 2000 bars, most operations are very slow—three taps on keyboard, then wait and watch the three stuttering operations happen in sequence.
      Opening Activity Monitor while using Sibelius, the CPU usage never passes 60%… while a single document can eat up to 6-7gb of RAM…
      The app was created about 30 years ago, it’s much overdue a rewrite…
      
      LikeLiked by 1 person
    - 27
      
      hoakley on May 31, 2023 at 8:23 pm
      
      So as they can’t be bothered to rewrite the app, shouldn’t they make updates to it free?
      Ah, so they want your money without reinvesting it to keep pace with what’s now very old technology.
      Howard
      
      LikeLiked by 1 person
    - 28
      
      Michele Galvagno on May 31, 2023 at 8:55 pm
      
      If only they asked for money only when they release a new version. One could choose whether to pay or not… but Sibelius has been a subscription service for quite a few years now. There’s a perpetual version (prohibitively expensive) that gives you lifetime access plus one year of updates. After that, you can renew for yearly or three-yearly updates…
      Still… pay to use or don’t use 😩
      
      LikeLiked by 1 person
    - 29
      
      hoakley on May 31, 2023 at 9:31 pm
      
      “pay to use or don’t use”
      Hm. That sounds like extortion or blackmail. Perhaps it’s just ransomware?
      Howard.
      
      LikeLike
    - 30
      
      Michele Galvagno on May 31, 2023 at 9:54 pm
      
      Most professional softwares nowadays are all using subscription models (rent-to-use)… and it’s a shame…
      
      LikeLiked by 1 person