About FileVault encryption and the T2 chip

GuilleA

macrumors regular
Original poster
Jun 8, 2015
128
121
Buenos Aires
I've been reading up on the subject, and it is my understanding that although the SSD on the new MBP is encrypted by default by the T2 chip, I should enable FileVault as well. From what I understood, enabling FileVault would tie my password with the encryption key in the T2 controller, making it impossible to recover or read data from the SSD without it.

So let's say someone gets access to my MBP, reboots it and enters Recovery Mode. The intruder would have access to the whole drive using Terminal, correct? It'd be possible to mount an external USB drive and copy over data.

Now if I enable FileVault, prior to be able to read any data from it in Recovery Mode my password would have to be entered, there should be no other way around it.

So, it's FileVault simply a way to just add a password to the current encryption or will it add a second layer with some (minimal of otherwise) performance loss?

And one final thing: I also have an external SSD that I use for backups. It's formatted in APFS with two volumes, one is dedicated to clone backups using SuperDuper and another one that I use for manual backups and some temporary files storage.

Finder only gives me the option to encrypt the second volume and not the one that contains a clone of Macintosh HD. If this drive gets stolen, it contains a full on copy of my main drive so I'd like to be able to encrypt that as well. Not really sure how encryption would work on this scenario, as both volumes share the same space with APFS.

Anyway, appreciate any help :)
 

1096bimu

macrumors 6502
Nov 7, 2017
319
286
No, there is no way to access encrypted data without the encryption key regardless of what mode you are in because not even the system knows your encryption key until you enter it when you boot up.
FileVult generates a key from your password, and a unique key tied to your T2 chip. So to access the file you must have your specific T2 chip and your password.
There is no performance loss, the T2 chip handles all the encryption
 

GuilleA

macrumors regular
Original poster
Jun 8, 2015
128
121
Buenos Aires
No, there is no way to access encrypted data without the encryption key regardless of what mode you are in because not even the system knows your encryption key until you enter it when you boot up.
FileVult generates a key from your password, and a unique key tied to your T2 chip. So to access the file you must have your specific T2 chip and your password.
There is no performance loss, the T2 chip handles all the encryption
I understand that the encryption key is stored in the T2 chip, and the SSD is decrypted on the fly on boot. If somehow, someone desoldered the chips the data would be unreadable unless they take the T2 as well.

However, you can still access the contents through Terminal in Recovery Mode, there's no password required to do so if FileVault is not enabled, correct?

Filevault is always on by default now right?
I guess not. This is a brand new MBP and FileVault is disabled.
 

Thysanoptera

macrumors 6502a
Jun 12, 2018
722
723
Pittsburgh, PA
However, you can still access the contents through Terminal in Recovery Mode, there's no password required to do so if FileVault is not enabled, correct?
Why don't you just see for yourself? I enabled FV so I have to type the password before recovery mode, and I don't remember how that looked like before. I'm actually curious myself, looking at how much crap they put in T2 it would be pretty weird if could just boot in recovery mode and access the system disk without OS password.

As for the external drive - what is the filesystem on the volume that can't be encrypted? I have external drives, but only with one volume per disk, and I never tried to 'enable' file vault, just created 'AFPS encrypted' volume on them. File Vault is just a mechanism to boot from encrypted drive using a password, I guess they left the name to avoid confusion, but IMHO it creates more of it instead.
 

iMacDragon

macrumors 68000
Oct 18, 2008
1,696
278
UK
yes, you can just boot into recovery mode to read the HDD if no other security steps have been enabled.
 
  • Like
Reactions: GuilleA

GuilleA

macrumors regular
Original poster
Jun 8, 2015
128
121
Buenos Aires
Why don't you just see for yourself? I enabled FV so I have to type the password before recovery mode, and I don't remember how that looked like before. I'm actually curious myself, looking at how much crap they put in T2 it would be pretty weird if could just boot in recovery mode and access the system disk without OS password.
I have. And yes, you can access the contents of the drive in Recovery Mode. I'll turn on FileVault and check again.

As for the external drive - what is the filesystem on the volume that can't be encrypted? I have external drives, but only with one volume per disk, and I never tried to 'enable' file vault, just created 'AFPS encrypted' volume on them. File Vault is just a mechanism to boot from encrypted drive using a password, I guess they left the name to avoid confusion, but IMHO it creates more of it instead.
It's APFS, but not encrypted. I suppose I could simply re-format my backup volume to APFS Encrypted and re-clone my main drive.
 
  • Like
Reactions: Thysanoptera

iMacDragon

macrumors 68000
Oct 18, 2008
1,696
278
UK
If FV is enabled, recovery is not going to let you see anything on the internal drive.
I was referring the original queried case of FV not enabled, ie, drive just T2 encrypted on own with no additional security steps enabled ( FV or boot password ).
 
  • Like
Reactions: Weaselboy

GuilleA

macrumors regular
Original poster
Jun 8, 2015
128
121
Buenos Aires
As for the external drive - what is the filesystem on the volume that can't be encrypted? I have external drives, but only with one volume per disk, and I never tried to 'enable' file vault, just created 'AFPS encrypted' volume on them. File Vault is just a mechanism to boot from encrypted drive using a password, I guess they left the name to avoid confusion, but IMHO it creates more of it instead.
I've just re-formatted the external volume to APFS Encrypted and re-cloned my main drive to it. There's a slight write performance hit but nothing too drastic. Unencrypted: 480 MB/s, Encrypted: ~440 MB/s. Reads are mostly the same at ~500-520 MB/s.

As for the main SSD, there appears to be no performance degradation when enabling FileVault. The T2 seems to be doing all the work, whereas with the external SSD, the CPU must be doing some of the work. I could be wrong though.