Do you guys use FileVault?

[nouveau_redneck]

All drives both internal and external that I own are encrypted. That includes backups, USB drives, old CDs, you name it, if it has data on it, it is encrypted. Not all the data "needs" to be encrypted, but it is a rule that I live by. Data is encrypted, period.

 

[avxkim]

Everyone has an opinion. However, most people's data aren't at risk of being used if their computer was stolen. If you have an organization issued notebook and/or signed an agreement that the information you are working on is sensitive enough that it requires full boot disk encryption, then this is part of the group I mentioned. The average, general home and small business user doesn't require it which is the majority of people. It's kind of strange that you have such an important job with sensitive data, that you would be trolling over encryption of a boot disk. My information was divulged from a profile, as well. Umm...which has nothing to do with this scenario. That was remotely, along with, the majority of data breaches and other means of infiltration. Even in a situation whereby your information was used, then OS boot disk encryption wouldn't even be a factor that could have protected you. I'm not obtuse to the point that I ever said anything related to it never being useful. Again, the majority of users of macOS do not require FV being enabled for a boot disk. Their dear pictures of family, home movies, movies, music, old/current tax, financial records aren't at risk of being used, even with the very small probability that their computer was stolen.
Why are they not at risk? Because their data wasn't targeted and isn't special except only to them. It has little to no value for someone else that stole their notebook or recipients thereafter.
File encryption for that data and not the entire OS disk would be plenty for those situations. Most users do not require an OS boot disk that's been encrypted. Of course, you can only convince those general users, which probably includes you, after they are in a situation whereby the difference between retrieving data by a legitimate service for a non-encrypted boot drive and one that has been encrypted is very, very costly between the two in the scenario that the encryption keys are damaged and/or you forgot the password. The bits are indecipherable and there are very, very few who may even have the means to recover it. Highly impossible. The cost and risk to the user is complete loss of data, performance hit, possible intermittent or incompatible issues with programs, and so forth. The pros of it are just that the user felt "more secure". When in reality them and their data is not that important because of having no value to those who would actually know how to use the data for gain or malicious reasons. Again, if it were that important to have a full boot disk encryption, then operating systems other than macOS who've been using this sort of method would have pushed to make it a requirement well before Apple. macOS comprises roughly 10% of the OS market share. Have you convinced yourself that this OS has been secured and improved on much more than all others? You would be wrong.

Totally agree with you. Seems like it's trendy to turn on FV2, i never used it myself on MBP or desktops. Also FV2 causes issues with Battle net games (updates, etc) and eGPU, more headaches than benefits, to be honest. I store all sensitive data in 1Password encrypted, rest of the disk is being unencrypted.

 

[nerowolfe19]

it is a rule that I live by.

As we become more depedent on technology, that'll be all the more relevant. In my case FV's just one layer of protection, I do not rely on it solely for keeping my data safe. When you work in the medical field, one layer is never enough.

This thread is rather moot going forward, since data encryption on new models is always on and offloaded to T2 chips by default like maflynn already mentioned. And considering Apple's data retrieval policy and removal of user agency, all the more reason to continue using multiple layers of data protection rather than surrendering total control to them in case of data loss.

 

[whoisyourdaddy]

since data encryption on new models is always on and offloaded to T2 chips by default like maflynn already mentioned.

Not to beat dead horse and it's a personal choice of whether you want FV enabled, even though it's not required. But, there's a difference between the T2 chip purpose for storage encryption and FV which is for encrypted volumes on storage mediums. So, FV isn't enabled by default and such requires user choice. Even in this scenario, although highly suggested by Apple, it shows that it's not a requirement.

https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf

My intent is I could care less what choice you make about using it. Just don't spread misinformation to others that they absolutely have to enable this feature. It's unnecessary and has been since the introduction of FV. It's been pushed more for marketing purposes to infatuate the importance of an Apple computer and its "security" over another platform. A hardened, SELinux supported and enabled PC is much more secure. Your data is at a much higher risk of being compromised with the network communication channels the device uses, tracking of mobility, personal use, and social engineering aspects of infiltration, than the need for OS boot encryption.

 

[jerryk]

It was on by default, so I use it. Had I needed to turn it on directly, I probably would not have. But, so far, so good.

 

[nouveau_redneck]

So... my thoughts regarding encryption are that unless you really, really need it for a solid reason -- it's something better off left alone. My opinion only.

Any miscreant with moderate technical ability can take the average persons computer and find enough information to easily take over that persons identity. To said miscreant, the luxury of that data would keep the rightful owner of it working for months to limit the damage. All data deserves encryption. Data has a high value.

 

[whoisyourdaddy]

Any miscreant with moderate technical ability can take the average persons computer and find enough information to easily take over that persons identity. To said miscreant, the luxury of that data would keep the rightful owner of it working for months to limit the damage. All data deserves encryption. Data has a high value.

This is highly dramatized and is an inaccurate representation of data as a whole. But, again you can believe whatever propaganda and use a feature that has more potential to cause issues and troubleshoot all that you want. However, this doesn't negate that you don't know what you're talking about either.

 

[nouveau_redneck]

This is highly dramatized and is an inaccurate representation of data as a whole. But, again you can believe whatever propaganda and use a feature that has more potential to cause issues and troubleshoot all that you want. However, this doesn't negate that you don't know what you're talking about either.

Do what you want with your data. I'm sure using any form of encryption would cause you trouble. Good luck.

 

[nerowolfe19]

Not to beat dead horse...

The horse has long been dead, and you're the one still beating it. Okay, this will be my last reply to you in this thread. So, please read it c.a.r.e.f.u.l.l.y this time around.

"since data encryption on new models is always on and offloaded to T2 chips by default like maflynn already mentioned."

This is what you quoted off my reply. Data encryption always on by default on new models, NOT FV.

"So, FV isn't enabled by default and such requires user choice" Correct, I didn't say that FV is enabled by default or even hinted at it. This is comprehension error #1 on your part. mkay?

As to "Just don't spread misinformation to others that they absolutely have to enable this feature." Please, cut the hyperbole and think rationally for a moment. Is believing that it's better to enable FV encryption to safeguard users data, the same as everyone should absolutely have to enable said feature? No, I'm merely stating a fact. I'm using a MBP that doesn't have a T2 chip and FV is fast and compatible enough on my machine to warrant having it enabled for my needs. It's not enough though, I use additional layers of encryption through other more powerful programs as well, like I mentioned earlier.

The other part that I find amusing is, I never compared the security of MacOS or MBPs to other OS's or computers at any point in this thread, yet you called me "another ridiculous Apple enthused elitist" earlier for no reason, and then made it a point that there are other Linux-based systems that are more secure. Obviously you're distraught. Does it really bother you that much that someone you don't even know says he likes enabling realtime encryption on his computer because he needs it and it makes data more secure in a mac environment? Lighten up man, just a little.

Other aspects of security risks like ones you mentioned are well-chronicled but they are beyond the scope of this thread's discussion. I thank you for bringing them up though, for what it's worth.

 

[whoisyourdaddy]

The horse has long been dead, and you're the one still beating it. Okay, this will be my last reply to you in this thread. So, please read it c.a.r.e.f.u.l.l.y this time around.

"since data encryption on new models is always on and offloaded to T2 chips by default like maflynn already mentioned."

This is what you quoted off my reply. Data encryption always on by default on new models, NOT FV.

"So, FV isn't enabled by default and such requires user choice" Correct, I didn't say that FV is enabled by default or even hinted at it. This is comprehension error #1 on your part. mkay?

As to "Just don't spread misinformation to others that they absolutely have to enable this feature." Please, cut the hyperbole and think rationally for a moment. Is believing that it's better to enable FV encryption to safeguard users data, the same as everyone should absolutely have to enable said feature? No, I'm merely stating a fact. I'm using a MBP that doesn't have a T2 chip and FV is fast and compatible enough on my machine to warrant having it enabled for my needs. It's not enough though, I use additional layers of encryption through other more powerful programs as well, like I mentioned earlier.

The other part that I find amusing is, I never compared the security of MacOS or MBPs to other OS's or computers at any point in this thread, yet you called me "another ridiculous Apple enthused elitist" earlier for no reason, and then made it a point that there are other Linux-based systems that are more secure. Obviously you're distraught. Does it really bother you that much that someone you don't even know says he likes enabling realtime encryption on his computer because he needs it and it makes data more secure in a mac environment? Lighten up man, just a little.

Other aspects of security risks like ones you mentioned are well-chronicled but they are beyond the scope of this thread's discussion. I thank you for bringing them up though, for what it's worth.

Here was your first reply and comparison which was an ignorant, and more accurately borderline stupid comparison. So, yeah, you don't know what you're talking about.

Most people lock their residences/cars/public lockers/etc before leaving. They keep their behinds covered too. The nerve of those ordinary people! Who the heck do they think they are?!"

 

[LogicalApex]

Again, the majority of users of macOS do not require FV being enabled for a boot disk. Their dear pictures of family, home movies, movies, music, old/current tax, financial records aren't at risk of being used, even with the very small probability that their computer was stolen.

I have truly seen it all now... You're arguing that users shouldn't enable Full Disk Encryption ...

There is literally zero cost to enabling encryption on modern computers. For starters, CPUs have built in AES acceleration (which is why it is faster to access an HTTPS site than an HTTP one even though HTTPS uses AES encryption). Additionally, SSDs and modern HDDs encrypt both default to encryption all the time since it has zero impact on performance (meaning the drive CPU can encrypt data at a rate faster than the drive can write it out and this is true for both slow HDDs and super fast NVMe drives). Drives use this to enable support for the Secure Erase ATA function that enables instant secure drive wiping by deleting the encryption keys.

There is zero reason for anyone to not enable Full Disk Encryption, like File Vault. The biggest risk a user has is losing their recovery key and for average users Apple allows them to store this in iCloud to minimize the chance they'll be unable to recover. To recommend otherwise is mind boggling in 2019...

 

[whoisyourdaddy]

I have truly seen it all now... You're arguing that users shouldn't enable Full Disk Encryption ...

There is literally zero cost to enabling encryption on modern computers. For starters, CPUs have built in AES acceleration (which is why it is faster to access an HTTPS site than an HTTP one even though HTTPS uses AES encryption). Additionally, SSDs and modern HDDs encrypt both default to encryption all the time since it has zero impact on performance (meaning the drive CPU can encrypt data at a rate faster than the drive can write it out and this is true for both slow HDDs and super fast NVMe drives). Drives use this to enable support for the Secure Erase ATA function that enables instant secure drive wiping by deleting the encryption keys.

There is zero reason for anyone to not enable Full Disk Encryption, like File Vault. The biggest risk a user has is losing their recovery key and for average users Apple allows them to store this in iCloud to minimize the chance they'll be unable to recover. To recommend otherwise is mind boggling in 2019...

Obviously, you can’t interpret arguments either. There’s a difference between shouldn't and not required. I argued it’s not required for most people. I even said enable if you want but deal with any issues that could potentially arise from it. Apple doesn’t enable it by default and neither do other OS distributions. You obviously don’t know much about when and encrypting data is actually needed, suggested, and subjective to different requirements.

 

[nouveau_redneck]

...

You sure do go to great extents to discourage using encryption.

Maybe encryption pissed in your Wheaties at some point in your past, or perhaps you feel that your righteous position is one of the ultimate arbitrator for when mortals should or should not use it. I think at some point people will just stop listening to you screech your nonsense.

 

[whoisyourdaddy]

You sure do go to great extents to discourage using encryption.

Maybe encryption pissed in your Wheaties at some point in your past, or perhaps you feel that your righteous position is one of the ultimate arbitrator for when mortals should or should not use it. I think at some point people will just stop listening to you screech your nonsense.

Not really, but I do know to admit whenever I don't know whether something is a requirement. FV being enabled isn't a requirement. If it were, then it would have been enabled by default by Apple much like all the other OS distributors. It's people that don't know what they're talking about, such as yourself, who suddenly make claims that it is and are wrong. Stop informing people that it's something they should do and that it's only a choice. Instead people such as yourself, insinuate that if a user doesn't, then they are at great risk if their computer is compromised. When the fact is, unless they have a requirement for OS boot encryption, then the most they would need to feel safe about their data being read is file system encryption for just the data. If they prefer the boot OS drive to be encrypted, then fine. But, it still doesn't mean that it was required and they can deal with the increased probability of problems from it in the future, even if, it didn't really provide them any more protection than a placebo effect because it was enabled. Again, the reason I state placebo effect is because unless the data is targeted, then it's of little value to the thief who stole the physical notebook. It's only the people who are constantly chiming in because I disagreed by citing an example that it wasn't required.

 

[Mike Boreham]

FileVault does slow disk read/write speeds but with todays SSDs the effect is not noticeable. EG The chart below is from this ArsTechnica article. My own testing has shown similar.

I have used FileVault on all my drives for some years but I have just turned it off for my iMac and immediately notice the external drives mount on reboot much more quickly than they did when they were encrypted....some taking 30 seconds to appear.

Bottom Line is that there is a performance penalty but probably not enough to not use FV if you need it, especially on faster machines.

The above is all pre T2 chip, of which I have no experience, but get the impression it reduces/eliminates(?) the penalty.

 

[LogicalApex]

The above is all pre T2 chip, of which I have no experience, but get the impression it reduces/eliminates(?) the penalty.

T2 enabled Macs don't have an unencrypted option. Enabling (or not enabling) FV only adjusts the encryption key used.

I'm "new" to the Mac having purchased my 2018 as the first one since like 1996 or something. But I thought the 2016 MBP shipped with an SSD as standard. If so, I'm very surprised the drive wasn't encrypted by default like the 2018 model. Encrypting by default for SSDs and wiping the key with ATA Secure Erase is a key feature to reduce SSD wear. Since SSDs can't be truly "wiped" due to wear leveling algorithms.

Basically, SSDs encrypt by default to allow you to wipe the drive without needing to write a ton of useless writes that may not got to all cells since the wear leveling algorithm may shift where your writes actually end up.

 

[nouveau_redneck]

Not really, but I do know to admit whenever I don't know whether something is a requirement. FV being enabled isn't a requirement. If it were, then it would have been enabled by default by Apple much like all the other OS distributors.

Perhaps you think I'm another poster within this thread. I have not mentioned FV or encryption being a "requirement". It's not, and Apple made the correct choice by making it optional. Your confusing of posters within this thread does not help your position.

It's people that don't know what they're talking about, such as yourself, who suddenly make claims that it is and are wrong.

You don't have a clue what my expertise or background is, so stop while you are ahead. You have been insulting and condescending throughout this thread.

Stop informing people that it's something they should do and that it's only a choice. Instead people such as yourself, insinuate that if a user doesn't, then they are at great risk if their computer is compromised. When the fact is, unless they have a requirement for OS boot encryption, then the most they would need to feel safe about their data being read is file system encryption for just the data. If they prefer the boot OS drive to be encrypted, then fine. But, it still doesn't mean that it was required and they can deal with the increased probability of problems from it in the future, even if, it didn't really provide them any more protection than a placebo effect because it was enabled. Again, the reason I state placebo effect is because unless the data is targeted, then it's of little value to the thief who stole the physical notebook. It's only the people who are constantly chiming in because I disagreed by citing an example that it wasn't required.

My position is that the average person does have reason to enable FV. Here is a simple test question one can use to determine if they should use encryption:

-- Would you care if a random person/thief was able to access and look through all of your data if your computer were lost or stolen?

If the answer is no, do not use encryption.

If the answer is yes, encrypt your data.

Forget all the other distractions and misdirection. The conclusion is simple.

 

[owbp]

I'm not using FileVault for one simple reason, Avid is strongly against it.
Actually, I've never tried it, since I'm constantly jumping between Logic and Pro Tools, but it might be wise to try it since I'm also using this MacBook Pro (15", 2015) as my daily driver.

Anyone have experience with encryption and pro music apps?

 

[nouveau_redneck]

I'm not using FileVault for one simple reason, Avid is strongly against it.
Actually, I've never tried it, since I'm constantly jumping between Logic and Pro Tools, but it might be wise to try it since I'm also using this MacBook Pro (15", 2015) as my daily driver.

Anyone have experience with encryption and pro music apps?

File Vault is completely transparent to applications running on your machine. Applications are not aware of its use one way or the other.

 

[owbp]

File Vault is completely transparent to applications running on your machine. Applications are not aware of its use one way or the other.

Many seem to agree, even here
http://duc.avid.com/showthread.php?t=399315

But Avid is being Avid, as usual...

http://avid.force.com/pkb/articles/en_US/troubleshooting/Mac-FileVault-and-Media-Composer

That's why i'm asking if anyone is using FileVault and ProTools problem free (even Logic Pro for that matter).
But, i'm willing to test it as soon as some not so important project comes along (aka some non paid work for a friend ).

 

[nouveau_redneck]

Many seem to agree, even here
http://duc.avid.com/showthread.php?t=399315

But Avid is being Avid, as usual...
View attachment 829494
http://avid.force.com/pkb/articles/en_US/troubleshooting/Mac-FileVault-and-Media-Composer

That's why i'm asking if anyone is using FileVault and ProTools problem free (even Logic Pro for that matter).
But, i'm willing to test it as soon as some not so important project comes along (aka some non paid work for a friend ).

That's odd. They don't really provide any reasoning or justification for suggesting it be turned off. It would be interesting to know their reasoning behind it, or if there are others with knowledge or insight on the recommendation.

Let us know what you end up doing and what results you get.

 

[owbp]

Avid is no surprise to me, but i cannot find any official info for Logic Pro X. That's strange.
Searched Logic help page, nothing there...

Let us know what you end up doing and what results you get.

Will do! I'll try it as soon as obligations allow!

 

[doynton]

And again - enabling encryption has no downsides, negligible performance drop with software based Bitlocker, none at all with T2 equipped Macs.

I agree totally.

Just a small aside, Bitlocker will also use hardware based encryption if your SSD supports it which most do these days. This removes the 5% (according to Microsoft it is small single digit) CPU overhead that using software based bitlocker imposes.

In either case it is obvious everyone should use FDE. Identity theft is a thing and if you don't encrypt your whole disk then your passwords, bank details etc *will* be stored in the clear in some cache or sleepimage - it is insufficient to just encrypt certain volumes.

That is why all new phones (of any type) are encrypted by default. Android for example will encrypt your whole phone with a password of (literally) "default_password" if you don't set one. The overhead of changing this to your own password is zero as it is encrypted anyway.

The only risk of using encryption is forgetting your password, your biometric details and any backups you may have made.

 

[Thysanoptera]

Just a small aside, Bitlocker will also use hardware based encryption if your SSD supports it which most do these days. This removes the 5% (according to Microsoft it is small single digit) CPU overhead that using software based bitlocker imposes.

Yes, but you have to jump through some hoops to get it done, plus there are some known vulnerabilities when using hardware based SSD encryption (depending on manufacturer), to mitigate which Microsoft recommends just enabling software based Bitlocker.