APFS encryption vs FileVault

[lemimouth]

When I installed High Sierra I could choose between APFS or APFS (encrypted) partition type. I choose APFS.

Then we have FileVault. At the moment I can't enable it because it greyed out. Will FileVault rely on APFS encryption (so activating FileVault will just encrypt the APFS volume with APFS encryption), or will it be an other layer on top of APFS ?

 

[cswifx]

When I installed High Sierra I could choose between APFS or APFS (encrypted) partition type. I choose APFS.

Then we have FireVault. At the moment I can't enable it because it greyed out. Will FireVault rely on APFS encryption (so activating FireVault will just encrypt the APFS volume with APFS encryption), or will it be an other layer on top of APFS ?

I suppose it's another layer? FileVault is a full-disk encryption, not sure about APFS because I haven't seen the APFS encryption yet.

 

[grahamperrin]

… greyed out …

Does the grey persist after you unlock the preference pane?

 

[b416]

Does the grey persist after you unlock the preference pane?

Yes it does.

 

[LK LAW]

Yes it does.

Some developer needs to shed some light on this one.
As I understand FileVault is a part of CoreStorage. CoreStorage is being depreciated and put into maintenance mode as far as I know.
Kind of wonder how FusionDrives are going to work then though.
Also if APFS is encrypted on a multi key (instead of single key with FileVault) would the OS first boot basic functions via the recovery partition and then handover you when you login it'll continue the login process?

Could someone look into this please

 

[justperry]

My Partition is APFS, can't enable Filevault, most likely because of APFS, I am pretty sure the
new one is APFS encrypted.
Wish upon install it would have asked me if I wanted APFS with or without encryption.

 

[yangm]

I’m on the opposed side of the coin: I had FileVault enabled before upgrading and now I can’t turn it off:

By the looks of the partitions, FileVault no longer uses CoreStore, using APFS multikey encryption instead:

 

[lemimouth]

I tried to install High Sierra (fresh from a usb key and reformatting the whole drive) with selecting APFS (encrypted), it asked me to create a password, but when I restarted my computer it didn't ask me to enter the password I set for encryption, as opposite as when I had FileVault enabled on my old installation and it asked the password to even start booting the OS.

That's why I'm confused between the two (FileVault asks the password before booting but APFS encryption doesn't).

Time to wait some more betas to enable FileVault and see what happens, then

 

[AVonGauss]

Deleted.

 

[Nermal]

I believe this behavior was documented in the release notes.

Indeed.

FileVault settings cannot be changed following conversion to APFS. Users wishing to use FileVault must enable it before installing macOS 10.13 beta. Support for changing FileVault settings on APFS volumes will be added in an upcoming beta.

 

[grahamperrin]

… how FusionDrives …

Please join the discussion at APFS and Fusion Drives.

FireVault

Gentle hint: it's FileVault (l, not r). At your opening post, you can use the cog icon to edit the subject line.

 

[lemimouth]

Oups, I must have read it wrong the first time and it stuck like this in my head

 

[LK LAW]

By the looks of the partitions, FileVault no longer uses CoreStore, using APFS multikey encryption instead:
View attachment 703337

Great news! Does the pre-boot login window still need EFI to show the login window?

 

[grahamperrin]

We have a report of conversion from Core Storage-encrypted HFS, to APFS, being followed by a FileVault-related change:

… 7. Reboot and added FileVault encryption

Notes and Known Issues for macOS 10.13 Build 17A264c (2017-06-06) appears to be a copy of information from Apple. I can't comment on its accuracy or completeness (I'm not enrolled with any Apple project). From that post:

… The Disk Utility info pane may show incorrect information for encryption status for APFS volumes. …

@nevheatley3 please: might that explain the apparent addition of encryption in your case?

 

[nevheatley3]

We have a report of conversion from Core Storage-encrypted HFS, to APFS, being followed by a FileVault-related change:



Notes and Known Issues for macOS 10.13 Build 17A264c (2017-06-06) appears to be a copy of information from Apple. I can't comment on its accuracy or completeness (I'm not enrolled with any Apple project). From that post:



@nevheatley3 please: might that explain the apparent addition of encryption in your case?

I cannot say, I'm not advanced enough to discern that. And unfortunately, I had to revert to Sierra so I cannot check anything on my end. But, it does seem plausible.

 

[mikecwest]

It appears you can enable it in terminal

sudo fdesetup enable

 

[lemimouth]

Thanks, great to know. But I'll wait until we can do it from the GUI. Maybe it's disabled at the moment for a reason

 

[lemimouth]

Just enabled FileVault in beta 2 through the GUI. Estimated time went from initially 4 minutes to 10 seconds then more than 1 day. THAT is accurate !

 

[mikecwest]

Just enabled FileVault in beta 2 through the GUI. Estimated time went from initially 4 minutes to 10 seconds then more than 1 day. THAT is accurate !

in terminal it took for ever, but gave NO estimate of remaining time. In the Filevault pref pane, it said "1 minute remaining" after it finished, until the next reboot.

 

[lemimouth]

I'll wait to see what happens. It can't seems to decide between "11 hours", "6 hours" and "more than one day". Disk Utility reports the volume as encrypted, though

 

[AppleComputer]

I’m on the opposed side of the coin: I had FileVault enabled before upgrading and now I can’t turn it off:
View attachment 703336

By the looks of the partitions, FileVault no longer uses CoreStore, using APFS multikey encryption instead:
View attachment 703337

Same here, had it enabled on sierra, stayed that way after high seirra beta installed.

 

[Apple_Robert]

Just enabled FileVault in beta 2 through the GUI. Estimated time went from initially 4 minutes to 10 seconds then more than 1 day. THAT is accurate !

Not being a smart-allec with this question.

What is the point of enabling FileVault, when APFS is running and has already encrypted the SSD? APFS has better security than FileVault.

 

[Cinder6]

Not being a smart-allec with this question.

What is the point of enabling FileVault, when APFS is running and has already encrypted the SSD? APFS has better security than FileVault.

Source on APFS being more secure than FileVault 2?

 

[mikecwest]

I would think that FileVault 2 adds, additional security to APFS?

 

[grahamperrin]

… Disk Utility reports the volume as encrypted, …

As diskutil(8) does not report whether migration is complete, so I should not expect Disk Utility to report whether the encryption routine is complete.

I would think that FileVault 2 adds, additional security to APFS?

It's more like the other way round.

The System Preferences interface to FileVault might evolve to take advantage of what will be possible with APFS, that could not be done with FileVault 2.

Recall that with FileVault 1, it was easier (than with 2) to prevent an administrator from viewing your data.