Enabling Filevault on 16" MBP instantaneous?

[dpo]

Just started setting up my new 16".

Very little was installed -- just the factory install of Catalina. Enabling Filevault was instantaneous -- suspiciously so, no progress bar or anything. I could swear that on Mojave/my old 15" (2018), it took a few minutes at least.

Is this new as of Catalina / the new Macs?

 

[Weaselboy]

Totally normal on the newer T2 chip equipped Macs. The drive is actually already encrypted, so when you turn on FV, all you are doing is adding a password.

 

[CoastalOR]

The difference is the T2 chip in your Mac.
https://support.apple.com/en-us/HT208344

EDIT: Weaselboy posted before me and just beat me by moments.

 

[maflynn]

I could swear that on Mojave/my old 15" (2018), it took a few minutes at least.

The T2 already encrypted your drive, so enabling FV didn't really have much to do

 

[donawalt]

The difference is the T2 chip in your Mac.
https://support.apple.com/en-us/HT208344

EDIT: Weaselboy posted before me and just beat me by moments.

I apologize if this as in th article but I didn't see it - what does it use for an encryption key if you don't choose to add FileVault/password? How would one decrypt it, if for example one had to put the SSD on another computer to get data off of it?

 

[chrfr]

I apologize if this as in th article but I didn't see it - what does it use for an encryption key if you don't choose to add FileVault/password? How would one decrypt it, if for example one had to put the SSD on another computer to get data off of it?

You can't move the SSD from the MacBook Pro as it's just chips soldered to a board, but for a computer like the iMac Pro, the disk is not readable if moved to a different computer. It's all detailed in here:https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf

 

[MareLuce]

@Weaselboy or @maflynn
If the drive is already encrypted, what is the reason to turn on FileVault?
To be doubly-encrypted?

I Google'd this
https://macpaw.com/how-to/use-filevault-disk-encryption
https://www.imore.com/what-filevault-and-it-right-you
to try to find the answer but it doesn't mention the drive is already encrypted.

 

[chrfr]

@Weaselboy or @maflynn
If the drive is already encrypted, what is the reason to turn on FileVault?
To be doubly-encrypted?

I Google'd this
https://macpaw.com/how-to/use-filevault-disk-encryption
https://www.imore.com/what-filevault-and-it-right-you
to try to find the answer but it doesn't mention the drive is already encrypted.

Refer to the PDF link above your post.
Without turning on Filevault, the disk is encrypted but it's automatically unlocked at power-on, so there's no protection if someone turns on your computer or enables target disk mode.

 

[donawalt]

Thanks @chrfr !

 

[MareLuce]

Refer to the PDF link above your post.
Without turning on Filevault, the disk is encrypted but it's automatically unlocked at power-on, so there's no protection if someone turns on your computer or enables target disk mode.

Thank you @chrfr

related from page 6 in apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf

All APFS volumes are created with a volume key by default. Volume and metadata contents are encrypted with this volume key, which is wrapped with the class key. The class key is protected by a combination of the user’s password and the hardware UID when FileVault is enabled. This protection is the default on Mac computers with the T2 chip.

If FileVault isn’t enabled on a Mac with the T2 chip during the initial Setup Assistant process, the volume is still encrypted, but the volume key is protected only by the hardware UID in the Secure Enclave.
If FileVault is enabled later—a process that is immediate since the data was already encrypted—an anti-replay mechanism prevents the old key (based on hardware UID only) from being used to decrypt the volume. The volume is then protected by a combination of the user password with the hardware UID as previously described.