APFS encryption vs FileVault

[AppleComputer]

Source on APFS being more secure than FileVault 2?

I am making a guess he is referencing this: https://www.backblaze.com/blog/apfs-apple-file-system/

"Apple’s current encryption scheme is called FileVault. FileVault is “whole disk” encryption. You turn it on, and your Mac encrypts your hard drive. That encrypted data is, for all intents and purposes, unrecognizable unless you enter a password or key to unlock it.

The problem is that FileVault is either on or off, and it’s on or off for the whole volume. So once you’ve unlocked it, your data is potentially vulnerable. APFS still supports full disk encryption, but it can also encrypt individual files and metadata, with single or multi-key support. That provides additional security for your most sensitive data."

or this: http://www.pcmag.com/article/345519/what-macos-sierras-new-apfs-file-system-means-to-you

"APFS uses integrated encryption instead of the essentially tacked-on encryption technique used by the existing OS X FileVault feature that slowly encrypts or decrypts an entire drive. APFS can encrypt whole disks and individual files with separate keys for the file and its metadata, giving granular control that could, for example, let individual users modify the data in a file without access to a separately encrypted audit trail of the changes."

 

[lemimouth]

Not being a smart-allec with this question.

What is the point of enabling FileVault, when APFS is running and has already encrypted the SSD? APFS has better security than FileVault.

Well that is exactly what I was wondering in this thread. The difference between choosing APFS (encrypted) during installation VS enabling FileVault.

When doing a clean high sierra install you can chose between APFS and APFS (encrypted), in any case FileVault isn't enabled. Correct me if I'm wrong.

When enabling FileVault, as I just did, an APFS volume is converted to APFS (encrypted). Does FileVault add something compared to chosing APFS (encrypted) during install ?

 

[Apple_Robert]

Well that is exactly what I was wondering in this thread. The difference between choosing APFS (encrypted) during installation VS enabling FileVault.

When doing a clean high sierra install you can chose between APFS and APFS (encrypted), in any case FileVault isn't enabled. Correct me if I'm wrong.

When enabling FileVault, as I just did, an APFS volume is converted to APFS (encrypted). Does FileVault add something compared to chosing APFS (encrypted) during install ?

FileVault was enabled before I installed High Sierra DB 2. My SSD is APFS encrypted, and I am unable to turn off FileVault. The ability to do so will be available in a subsequent beta per Apple.

 

[laurihoefs]

Well that is exactly what I was wondering in this thread. The difference between choosing APFS (encrypted) during installation VS enabling FileVault.

When doing a clean high sierra install you can chose between APFS and APFS (encrypted), in any case FileVault isn't enabled. Correct me if I'm wrong.

When enabling FileVault, as I just did, an APFS volume is converted to APFS (encrypted). Does FileVault add something compared to chosing APFS (encrypted) during install ?

In HFS+ there is no difference between a volume encrypted with FileVault, or a volume that is created as encrypted.

FileVault just has some additional features, like:
-a recovery key
-iCloud recovery (the aforementioned key is stored in iCloud)
-logging in with a single password instead of separately entering the encryption key and then logging in
-ability to grant other users rights to log in without giving them the encryption or recovery key

Most likely the same is true for APFS.

 

[cupcakes2000]

I don't really understand what's going on, I wonder if someone can help or point me in the direction of the right documentation?

I just installed the public beta. I have always had FileVault switched on. I clicked the convert to APFS upon the installation screen. There was not an option of encrypted vs not encrypted as I have seen is the case with others on here, and I didn't have the option of setting a password or anything.

When I checked through system preferences after the install, file vault was turned off.
So I turned it back on, and it just did its thing. But then after I checked in disk utility- it had converted the file system back to the original journaled encrypted corestorage.

Can someone explain why and what I should do. I want to be secure, but I need to understand it at the same time.

Any help would be ace.

mm

 

[grahamperrin]

… convert to APFS … converted the file system back to the original journaled encrypted corestorage. …

There's no conversion from APFS to HFS Plus, so the original request (convert to APFS) must have failed.

For an understanding: boot Recovery OS 17A291m then use diskutil(8) to attempt conversion. You'll get more information that can be shown in Disk Utility.

 

[verdi1987]

I am confused about APFS Encryption and FileVault.

I completely wiped my MBP and formatted the SSD as “APFS (Encrypted)” while in Recovery Mode. I was prompted to supply a password for the disk upon formatting. I then installed High Sierra Public Beta 1. After installation, in Disk Utility the file system showed as “APFS (Encrypted).”

After installing PB2, I was prompted to enable FileVault, as some others have experienced. This confused me, as I thought the file system was already encrypted, but I opted to enable FileVault anyway. Incidentally, the FileVault encryption never completed, seemingly stuck at an estimated completion of two hours. Half a day later, with encryption still unfinished, I rebooted. The ETA updated to one minute but again never completed.

Today I installed PB3, after which the FileVault encryption completed.

So, is FileVault separate from APFS Encrypted? This was postulated above and in other threads, but there didn’t appear to be a definitive consensus or explanation. What are the ramifications of using APFS Encrypted but not FileVault?

 

[Weaselboy]

So, is FileVault separate from APFS Encrypted?

FileVault is what Apple calls their full system encryption product, and FileVault uses APFS encrypted to encrypt the drive.

When you turn on FileVault it changes the boot process so you initially boot to the recovery partition and are presented with a login there that will unlock the drive. FileVault also integrates the disk unlock password into your user account so you can use the same unlock password as your login password. So when you turn on FileVault it enables these features I described as well as encrypting the drive with APFS encrypted. APFS is used with FileVault, but FileVault is more than just APFS as I described. That make sense?

 

[ErikGrim]

How do you turn OFF FileVault for external drives in High Sierra? I can't find it in Disk Utility in either regular mode or recovery.

 

[b416]

My experience with APFS encryption/FileVault so far :

First, about my setup : my main account is never admin, I always create a separate admin account that I use for admin tasks. It works very well for me.

After installing High Sierra and converting to APFS on my already activated FileVault, I noticed a few things : my main account can't unlock the disk at boot time, only the admin account. Trying to fix that in System preferences always ended with an error message. So I decided to deactivate FileVault (it works now in the last beta). Everything seemed to go well, after about a day, the decryption was almost finished and then... it got stuck for days with the message "about 1 minute" to finish the decryption... I almost gave up and was thinking about waiting for the next beta or reformatting and reinstalling everything from scratch...

Then, chasing something else, I noticed that my system log was polluted every few seconds with messages from com.apple.touristd trying to download something from help.apple.com and crashing, trying to respawn endlessly... So I removed it from /System/Library/LaunchAgents then rebooted... and the decryption was able to finish.

I reactivated FileVault and everything is working ok now.

 

[Trebuin]

Big question: Do we have the ability to boot to something that allows us to remotely unlock the encryption yet after a power loss or full power cycle? I'm still hanging on to filevault 1 because of this.

 

[leman]

Big question: Do we have the ability to boot to something that allows us to remotely unlock the encryption yet after a power loss or full power cycle? I'm still hanging on to filevault 1 because of this.

Can you elaborate the problem? Why not just start computer anew after the power loss?

 

[LarryJoe33]

My experience with APFS encryption/FileVault so far :

First, about my setup : my main account is never admin, I always create a separate admin account that I use for admin tasks. It works very well for me.

After installing High Sierra and converting to APFS on my already activated FileVault, I noticed a few things : my main account can't unlock the disk at boot time, only the admin account. Trying to fix that in System preferences always ended with an error message. So I decided to deactivate FileVault (it works now in the last beta). Everything seemed to go well, after about a day, the decryption was almost finished and then... it got stuck for days with the message "about 1 minute" to finish the decryption... I almost gave up and was thinking about waiting for the next beta or reformatting and reinstalling everything from scratch...

Then, chasing something else, I noticed that my system log was polluted every few seconds with messages from com.apple.touristd trying to download something from help.apple.com and crashing, trying to respawn endlessly... So I removed it from /System/Library/LaunchAgents then rebooted... and the decryption was able to finish.

I reactivated FileVault and everything is working ok now.

I am having a similar experience but mine is activating and encrypting with "1 minute to go"? 'i can't seem to find the file you reference

 

[Trebuin]

Can you elaborate the problem? Why not just start computer anew after the power loss?

I could, after waiting approximately 180 days or so to catch a flight back to the United States to get to my house & hit the power switch...that's why I want to remote into the computer instead. I'm not going without encryption given the high crime around here & my previous experience with four previous experiences with laptop thefts from break-ins which resulted in a few pains, one being someone nearly successfully stole my home equity by using all the things a few fake IDs to pretend they were me. The only saving grace to that was my temporarily really bad credit rating. Suntrust was ever so kind to give me a call using my phone on record to ask if I was serious about a 4% increase on my mortgage while taking all the equity out...raised some red flags to them & stopped the refinance. I can't take my computer given I am allowed only one bag to deploy with, only room for a laptop.

 

[black olive]

in terminal it took for ever, but gave NO estimate of remaining time. In the Filevault pref pane, it said "1 minute remaining" after it finished, until the next reboot.

Hi - similar issue. High Sierra installed, enabled file vault (stupidly).... now stuck on 'one minute remaining' for the last 3 days. Cannot seem to force quit. Reboot, reset PRAM etc. Worst of all, cannot do a time machine back up while stuck.Any suggestions?

 

[LarryJoe33]

Hi - similar issue. High Sierra installed, enabled file vault (stupidly).... now stuck on 'one minute remaining' for the last 3 days. Cannot seem to force quit. Reboot, reset PRAM etc. Worst of all, cannot do a time machine back up while stuck.Any suggestions?

Sounds like you are in the same boat I was. I stupidly turned it on and I lost patience with the one minute message and knowing I couldn't upgrade or TM until it was done (doing nothing). I gave up and wiped and reinstalled (for the first time ever on a Mac).

 

[mikecwest]

Hi - similar issue. High Sierra installed, enabled file vault (stupidly).... now stuck on 'one minute remaining' for the last 3 days. Cannot seem to force quit. Reboot, reset PRAM etc. Worst of all, cannot do a time machine back up while stuck.Any suggestions?

Just be patient... Do you have a lot of stuff on your drive? Plug it into the wall, and leave it alone when you are at home. It will eventually finish. I think the 1 minute thing is just a bug. Mine took over a week. I suspect also it might only convert when connected to power, to prevent battery drain.

 

[LarryJoe33]

Just be patient... Do you have a lot of stuff on your drive? Plug it into the wall, and leave it alone when you are at home. It will eventually finish. I think the 1 minute thing is just a bug. Mine took over a week. I suspect also it might only convert when connected to power, to prevent battery drain.

I wish I could have been more patient, but the lack of ability to do any backups or install anything while encrypting was concerning.

 

[LarryJoe33]

From the latest beta release notes, appears to be lots of FileVault issues they were working on, not sure if our 1 minute issues was a symptom. I'm still not going there again though!

Resolved Issues

• Volumes with High Sierra beta 5 installed can now be mounted or selected as a Startup

Disk on systems running earlier versions of macOS. (33060569) Fixed an issue that

prevented enabling FileVault on APFS volumes.

• Fixed an issue where the encryption policy used for unencrypted APFS volumes that are

converted to FileVault could cause the system to select the wrong block offset during the

encryption process. Affected volumes need to be re-encrypted. Encrypted HFS+ volumes

that have are converted to APFS are unaffected.

• Fixed an issue where an APFS container on a Fusion drive could have only 1 macOS 10.13

volume.

• Fixed an issue where APFS systems with FileVault enabled could not reset their password

with iCloud. (32818928)

• The X11 window manager now works on APFS formatted installation of macOS.

(31507129)

There a lot of references to File Vault in this document.

 

[mike.a]

Like some of you here, I wrestled yesterday with whether to encrypt pre or post install-from-scratch. It wouldn't have mattered so much if it weren't for the (constantly varying) 6-14 hour estimate for FileVault to finish on a new install (no user data). What I did and their outcomes below, using a bootable macOS installer:

Encrypt last (my old default)
Erase and format as Mac OS Extended (Journaled) then install High Sierra. Turn on FileVault.
Outcome: 6-14 hour estimated FileVault encrypt time

Encrypt first (now my preferred)
Erase and format as APFS (Encrypted) then install High Sierra. FileVault was already on.
Outcome: < 10 mins by Disk Utility? (it may have been far less, I left it and didn't monitor closely)

The main difference is that you supply a password earlier when formatting with Disk Utility, rather than being given one (the Recovery Key) when enabling FileVault.

Hope this helps someone.

 

[LarryJoe33]

Like some of you here, I wrestled yesterday with whether to encrypt pre or post install-from-scratch. It wouldn't have mattered so much if it weren't for the (constantly varying) 6-14 hour estimate for FileVault to finish on a new install (no user data). What I did and their outcomes below, using a bootable macOS installer:

Encrypt last (my old default)
Erase and format as Mac OS Extended (Journaled) then install High Sierra. Turn on FileVault.
Outcome: 6-14 hour estimated FileVault encrypt time

Encrypt first (now my preferred)
Erase and format as APFS (Encrypted) then install High Sierra. FileVault was already on.
Outcome: < 10 mins by Disk Utility? (it may have been far less, I left it and didn't monitor closely)

The main difference is that you supply a password earlier when formatting with Disk Utility, rather than being given one (the Recovery Key) when enabling FileVault.

Hope this helps someone.

Nice post. Good to know and thanks for sharing.

 

[SteveJobzniak]

Before upgrading to High Sierra, I was using a FileVault Disk-password.

You can read about disk passwords here: https://blog.devzero.com/2014/03/31/making-filevault-use-a-disk-password/

It is basically as follows: You manually encrypt the drive with a password. User accounts cannot log in to the drive (and are not displayed on the boot screen). Instead, it asks for "Disk Password" as follows:

This is the highest-security option because it lets you have a super long and complex disk password, and an easy user-password. That way your daily admin tasks (or a quick lock/unlock screen process) are easy, but your hard disk data is protected with a difficult password.

Well, today it was finally time to upgrade from Sierra 10.12.6 to High Sierra 10.13.4.

And this is what happens if you upgrade a Disk-password system to High Sierra:

• The CoreStorage Volume is deleted. (It has been deprecated and is no longer used by FileVault, so I am HAPPY that Apple deleted it for me automatically.)
• Instead, Apple puts a "Apple_APFS Container" on the disk.
• That container contains an ENCRYPTED APFS partition. As can be seen in Disk Utility, for example.
• The "Disk Password" unlock method is perfectly preserved! I still login with the disk password, instead of user passwords. Phew. Glad Apple didn't screw that up!

Final results: An APFS-disk with modern, native filesystem-level encryption. No more CoreStorage or other "legacy FileVault 2" stuff.

Some other things worth noting when upgrading my MacBook Pro 2010 to High Sierra:

1. The power LED is no longer lit (white one in the bottom right computer corner). It only flickers white briefly at startup and then shuts off. If I put the computer to sleep, it lights up and starts "breathing" the classic sleep-pulse. So I guess Apple just didn't see any value in keeping the power LED constantly lit while the screen is on...
2. The white Apple Logo on the lid of the computer is still lit as always. So it's a bit odd they decided to turn off the power LED.
3. Bootups now FEEL longer because the bootup process has changed. It goes through three phases: First a rapid bar filling on the gray screen. Then the screen goes TOTALLY BLACK (looks "broken" due to the eerie way it is pitch black) for about 10 seconds. Then the desktop login screen shows up with the password field ready to type. This differs from the old bootup which took 14 seconds then showed the desktop but was FROZEN for about 10 seconds (no ability to type) while it continued secretly booting. So Apple has changed that process to no longer "hide the boot process". The screen goes black for the same time it would have taken the old Sierra boot to let you finally type a password... All in all, not happy with this new boot process. It feels unpolished due to the blackness.
4. SSD TRIM is still enabled if you've ever run their "sudo trimforce enable" tool in previous OS versions. Good. I was worried it'd be reset back to no trim, but it still worked and I didn't have to re-enable it.
5. The Siri utility has been optimized. In Sierra, using Siri enabled the nVidia GPU, then when Siri's window was closed it took about 30 seconds and then it switched back to Intel GPU. Now, it switches to Intel instantly after the Siri window closes.

All in all, with 10.13.4, with tons of exploits and bugfixes in older versions now patched, I think High Sierra is finally ready for daily use. Good times!

 

[justperry]

Snip....

1. The white Apple Logo on the lid of the computer is still lit as always. So it's a bit odd they decided to turn off the power LED.

End ....snip

You know that you can't switch off the lit Apple logo....do you.

 

[snowyjoey]

Sorry to revive an oldish thread, but I am really struggling with this topic. I do not want my decryption "key" stored with iCloud or anyone else for that matter. I have a used Mid 2012 MBP. I formatted it (it has SSD and HDD in drive caddy), and I chose APFS Encrypted for the system disk (SSD) and Mac OS Extended Encrypted for the HDD.

I created my long complex password for the APFS Encrypted volume. I was under the impression NOBODY should know that except me. I then installed HighSierra from a USB installer, and now i see both a user login and a diskpassword login after i boot up. But I am amazed to find that the user password for the account I created (not as complex as disk pword) can unlock the disk! Why is that, and more importantly, how can I prevent that?

I want security, not convenience. So I want to HAVE to enter BOTH the user password AND the disk encryption key each time i boot up my mac. Is this possible?
Thanks for any help.

 

[Weaselboy]

Storing the FileVault encryption key in iCloud is optional. Just don't select that option with you turn on FV.

As far as your second dis, it it is unlocking that disk automatically at login, you must have saved the password to Keychain as some point. Just go to Keychain and find that entry and delete it.