A question about the T2 and encryption

[kristoffer4]

Does The SSD T2 encryption on the new MBPs work without turning on File Vault or does it work via File Vault?

 

[AnonMac50]

I believe it works without FireVault turned on too.

 

[kristoffer4]

Ok. I found this on Apple's website: "
Turn on FileVault
Though the SSD in computers that have the Apple T2 chip is encrypted, you should turn on FileVault so that your Mac requires a password to decrypt your data.

To turn on FileVault, follow these steps:

1. Choose Apple menu () > System Preferences, then click Security & Privacy.
2. Click the FileVault tab.
3. Click
   
   , then enter an administrator name and password.
4. Click Turn On FileVault."

https://support.apple.com/en-us/HT208344

So without FileVault your data is not password protected? That makes no sense.

 

[iMacDragon]

It basically makes it instantly wipeable securely, same as a non password protected iOS device.

 

[RobbieTT]

So without FileVault your data is not password protected? That makes no sense.

As I understand it the data is always encrypted and requires the host computer to decrypt. So if someone desoldered the SSD it would be unreadable. Same goes if the computer was unserviceable - there would be no way to decrypt the SSD (so no way to recover data). Turning file vault on means that even with the original & serviceable computer you would need the password too. All this is done with zero performance impact on the cpu or SSD as the T2 does all the heavy lifting.

 

[waziazi]

I think turning on FileVault degrades disk performance. can anyone confirm this is not the case?

 

[RobbieTT]

Filevault will have a small performance degradation on most Macs but this is not the case for the newer T2-equipped Macs (currently limited to the iMP and 2018 MBPs) as this dedicated hardware manages the encryption and the SSD.

 

[kristoffer4]

Found a good video that explains everything.

Apple's T2 Chip Explained

‬

 

[maflynn]

Found a good video that explains everything.

Nice video pulling together all of the things the T2 does.
[doublepost=1533811266][/doublepost]What I don't get is why enable FileVault if the drive is already encrypted. I didn't know with the T2, my data is encrypted by default and there's no way to not have encrypted. I'm not trying to undo it, just get my brain wrapped around this.

 

[MacRS4]

Imagine a T2 laptop where you've done nothing with the secure boot. That laptop gets nicked. The drive may still be encrypted but you can boot on that machine and just reinstall MacOS and there's your data. There's no dependency on a password for the volume.

I think that's the case anyway. I could be wrong, as my girlfriend keeps telling me.

 

[iMacDragon]

Nice video pulling together all of the things the T2 does.
[doublepost=1533811266][/doublepost]What I don't get is why enable FileVault if the drive is already encrypted. I didn't know with the T2, my data is encrypted by default and there's no way to not have encrypted. I'm not trying to undo it, just get my brain wrapped around this.

Quick/secure erase is the main reason for running always encrypted but without password.