Do you have a 2018 MBP with FileVault enabled?

[asiga]

I’m getting mine next Friday, and one of the first things I plan to do is to enable FileVault. But FileVault is driven by the T2 chip, and maybe there’s some connection to the BridgeOS KP issues... so...

Do you have a 2018 MBP with FileVault enabled? Are you suffering BridgeOS KPs? What MacOS version and supplemental updates are you using?

Thanks!

 

[leman]

Running with FileVault from the start, OS is Mojave. Never had a kernel panic.

 

[joshellis625]

Enabled FileVault from the start as well. Running High Sierra with the 2nd Supplemental Update. I've had exactly one kernel panic related to Bridge OS.

 

[afir93]

2018 15“ MBP owner here, FileVault enabled from the start and never had a Kernel Panic – while some people experience Kernel Panics, I highly doubt there‘s any correlation to FileVault. Also, you might like to know that Macs with the T2 chip now always encrypt the content of the SSD, independently of whether FileVault is enabled and with the encryption key being stored in the Secure Enclave. The only difference FileVault seems to make now is whether or not the SSD encryption key is stored there in unencrypted form or if it is encrypted with the user password while being stored there; FileVault no longer affects whether the content of an SSD as a whole is encrypted or not.

This has some nice benefits like that enabling/disabling is not instantaneous on Macs with the T2 chip, as opposed to taking many hours/days. So if you don‘t decide right away but reconsider later, it makes switching it on/off pretty easy and pain-free.

 

[maflynn]

I have it on, but I've yet to get my brain wrapped around the fact that on or off, the drive is already encrypted. I'm not sure why we even have that option.

 

[afir93]

I have it on, but I've yet to get my brain wrapped around the fact that on or off, the drive is already encrypted. I'm not sure why we even have that option.

The option for FileVault you mean? Well, with FileVault, accessing the SSD requires the user password and the T2's encryption key for the SSD, without FileVault, it only requires the T2's encryption key.

The T2's encryption key is something the T2 chip handles all on its own, it mostly means that the SSD's content can't be accessed without the respective T2 chip at play. I'm not sure how helpful it is when a potential thief of your MacBook tries to access the SSD content as the T2 chip would presumably still do its job and decrypt it without FileVault enabled (though I guess it might still help depending on how he would try to access it, as boot up from external drives for example is disabled per standard on T2 Macs). With FileVault however, the T2 chip cannot decrypt the SSD without the user passwords/secondary key.

 

[Weaselboy]

Do you have a 2018 MBP with FileVault enabled? Are you suffering BridgeOS KPs? What MacOS version and supplemental updates are you using?

I have FV on with both the supplemental updates installed and get no KPs. There is a long thread about these KPs, people in that thread are reporting the problem whether they have FV on or not, so I don't think there is any connection to FV being on causing this.

 

[iMacDragon]

I have it on, but I've yet to get my brain wrapped around the fact that on or off, the drive is already encrypted. I'm not sure why we even have that option.

If you have neither filefvault nor firmware password set, then absolutely nothing stops you booting into recovery mode and copying whatever you want off the internal ssd onto an external drive. ( I just verified this myself, though logically I couldn't see any reason why it wouldn't have worked )

If firmware password is set but file vault not, then you probably are reasonably secure, as you can't access recovery boot without the FW password. Though I suspect that apples recovery tool that reportedly connects via usb to extract information from SSD on partially dead machines might still work? This is a big unknown though, and it may be that even this tool would need FW password as it's the T2 that manages this too.

If filevault is set, then presumably nothing but having the password or recovery key will let you access the data.

 

[asiga]

Also, you might like to know that Macs with the T2 chip now always encrypt the content of the SSD, independently of whether FileVault is enabled and with the encryption key being stored in the Secure Enclave. The only difference FileVault seems to make now is whether or not the SSD encryption key is stored there in unencrypted form or if it is encrypted with the user password while being stored there; FileVault no longer affects whether the content of an SSD as a whole is encrypted or not.

This has some nice benefits like that enabling/disabling is not instantaneous on Macs with the T2 chip, as opposed to taking many hours/days. So if you don‘t decide right away but reconsider later, it makes switching it on/off pretty easy and pain-free.

Ooops!! I completely forgot this! And yes, this changes things quite a bit!
[doublepost=1537717670][/doublepost]

I have FV on with both the supplemental updates installed and get no KPs. There is a long thread about these KPs, people in that thread are reporting the problem whether they have FV on or not, so I don't think there is any connection to FV being on causing this.

Yep, but I remember having read (and I think it was in that thread) that Apple support staff recommended to avoid using FileVault to those users affected. But, obviously, if the T2 is always encrypting the SSD no matter your FV setting, it's hard to imagine why FV could increase the chance of getting KPs...

 

[Weaselboy]

Yep, but I remember having read (and I think it was in that thread) that Apple support staff recommended to avoid using FileVault to those users affected.

Yeah... I saw that too earlier, but it does not seem to matter. I think the Apple support person was just grasping at straws.