This week’s news of deprecations in macOS is dominated by CoreStorage, and the consequent loss of access to HFS+ encrypted volumes. As it might seem odd that a part of macOS responsible for Fusion Drives should also affect encryption, this article tries to explain why, and where we’ve got to since.

In the Good Old Days, our Macs seldom contained anything particularly sensitive, and the few files that might hold private information could be encrypted on their own. Then came electronic banking, credit card and ID information, and crypto wallets, and we really needed to ensure they were properly protected.

HFS+

With the release of Mac OS X, its native file system HFS+ had no support for encryption. When Apple introduced its first version of FileVault to encrypt just the user’s Home folder in 2003, that had to be accomplished using an encrypted disk image. That not only caused problems with Time Machine backups, but its protection was easily defeated and the whole disk image decrypted.

The first whole-volume encryption for HFS+ came in 2011, when Apple added support for a logical volume manager in CoreStorage, which implements encryption for HFS+. The second and more successful attempt at FileVault thus used HFS+ with whole-volume encryption in CoreStorage. Encrypted HFS+ has also been available for use on external storage, where it still depends on CoreStorage.

Encrypted HFS+ uses the XTS-AES mode of AES with a 256-bit key, with both encryption and decryption being performed by the CPU. Earlier Intel processors didn’t have instructions to accelerate that, and combination with hard disk storage imposed a noticeable overhead of around 3% on storage read and write. This was most apparent when encryption was first enabled on a volume, which could take many hours before its entire contents had been encrypted.

Among other features reliant on CoreStorage are Apple’s Fusion Drives, consisting of a larger hard disk with an SSD working together as a pair in tiered storage, introduced in late 2012. It appears that macOS Tahoe might have already discontinued support for Fusion Drives, although its diskutil command still claims to support them, and a recent support note doesn’t mention any limitations.

APFS

The next step was a file system that had encryption designed into it from the start, APFS, released in 2017. That was quickly followed by hardware support for encryption, first in T2 chips, then in Apple silicon chips from 2020.

What has been encrypted has also changed over time. The first FileVault only encrypted the contents of a user’s Home folder, but CoreStorage encrypts whole HFS+ volumes. Until macOS Catalina divided the startup volume into System and Data volumes in a boot volume group, FileVault encrypted both system and user files. From Catalina onwards it was thought that all volumes on the internal SSD were encrypted, but more recently it has become clear that has been limited to the Data volume, possibly since Big Sur.

The hardware that performs FileVault’s encryption and decryption is part of the controller for the internal SSD, and is outside the Secure Enclave, which is responsible for generating and protecting the keys used.

When you enter your FileVault password, that’s passed to the Secure Enclave, where it’s combined with the hardware key to generate the Key Encryption Key (KEK), and that’s then used together with hardware and xART keys to decrypt or unwrap the Volume Encryption Key (VEK) used for decryption/encryption.

APFS encryption more generally also uses separate VEKs and KEKs which are stored in and accessed from Keybags associated with both containers and volumes. The Container Keybag contains wrapped VEKs for each encrypted volume within that container, together with the location of each encrypted volume’s keybag. The Volume Keybag contains one or more wrapped KEKs for that volume, and an optional passphrase hint. However, because those Keybags are stored in the file system on the encrypted disk and not protected by a Secure Enclave, they’re inherently more vulnerable.

Future

Most recent is the threat posed by anticipated advances in quantum cryptography, which promise to break some classical encryption methods. At present, Apple considers that FileVault should remain robust because of its multiple layers of protection. However, it may be that doubling the key size from 256 to 512 bits is an appropriate defence for APFS encryption that doesn’t enjoy the protection of the Secure Enclave.

Further reading

A Brief History of FileVault
How keys are used in FileVault and encryption
macOS Tahoe extends quantum-secure encryption
Quantum-secure cryptography in Apple operating systems