File Vault?

[Porkchop Sandwich]

Probably a silly question but, I simply do not know the answer and in anticipation of the receipt of my new MBP..

File Vault - I always encrypt my disks but I'm wondering if it's really necessary. Does disk encryption offer any online protection, at all? Or, is it literally just to protect your computer and its content from physical intrusion?

 

[Howard2k]

Just local. Arguably malware could come in from online of course.

 

[maflynn]

I always encrypt my disks

If you buy a Touchbar equipped MBP, then your disk will be encrypted anyways. I'm still not sure what advantages enabling FV is on these machines, but the data is encrypted.

Does disk encryption offer any online protection

None what's so ever. It only protects you from someone trying to read/access your data without authorization. If you're online and malware somehow installed on your system, I don't think you'll be protected.

wondering if it's really necessary

Sure, someone walks into your house, grabs your laptop and all of sudden they have your personal information. If its anything like me, they have your taxes, financial records, and other things that could make life difficult.

 

[iMacDragon]

If you buy a Touchbar equipped MBP, then your disk will be encrypted anyways. I'm still not sure what advantages enabling FV is on these machines, but the data is encrypted.

recovery mode will probably allow you to access data on local machine if you've not enabled filevault, still.

 

[maflynn]

recovery mode will probably allow you to access data on local machine if you've not enabled filevault, still.

I don't know, maybe, I've not messed with my system and tbh, I'm not willing too given some of the headaches some people went through with the T2 and recovery mode.

 

[SDColorado]

If you buy a Touchbar equipped MBP, then your disk will be encrypted anyways. I'm still not sure what advantages enabling FV is on these machines, but the data is encrypted.

If my understanding is correct, the advantage of enabling FV on the T2 equipped machines is that while the T2 encrypts the disk, it is FV that acts as a gatekeeper and requires a password to decrypt it.

 

[Lennyvalentin]

If my understanding is correct, the advantage of enabling FV on the T2 equipped machines is that while the T2 encrypts the disk, it is FV that acts as a gatekeeper and requires a password to decrypt it.

That is what I've gathered as well, pretty much. While T2 encrypts always, it automatically presents the OS with the decryption key if filevault is disabled, so the drive appears unencrypted. If FV is enabled, the encryption key is based on/combined with the user's password, so OS can't/won't automatically gain disk access.

...From what I understand, anyway.

 

[SDColorado]

That is what I've gathered as well, pretty much. While T2 encrypts always, it automatically presents the OS with the decryption key if filevault is disabled, so the drive appears unencrypted. If FV is enabled, the encryption key is based on/combined with the user's password, so OS can't/won't automatically gain disk access.

...From what I understand, anyway.

Sounds more detailed than my attempt. I knew I was paraphrasing from memory and lacked the details

 

[iMacDragon]

That is what I've gathered as well, pretty much. While T2 encrypts always, it automatically presents the OS with the decryption key if filevault is disabled, so the drive appears unencrypted. If FV is enabled, the encryption key is based on/combined with the user's password, so OS can't/won't automatically gain disk access.

...From what I understand, anyway.

Sounds about right, and also is why enabling filevault is essentially instant.

 

[Porkchop Sandwich]

This is turning out to be quite an informative thread and I'd like to thank everyone who's taken the time to respond. Keep it coming.

Obviously, Touch ID is quite a nice touch (no pun intended) as it relates to quick access to your desktop.

My computers do indeed have very, very sensitive information on them at times however, they remain in secure locations that nobody has access to. That being said, I would be susceptible to someone with nefarious intent despite the unlikelihood of intrusion.

Recently, I've had nothing but troubles with a few of my computers for no apparent reason. Things like slow wake times, which I mistook for a lack of power altogether until I realized...that lead to attempts at recovery in a manner that would wipe my hard drive altogether. Unfortunately, I get to the apple screen and the progress bar gets to about the half way point and then just hangs. I've let the computer set for hours with no joy. I'm typing this on one of my 'backup' computers that I 'somehow' managed to wipe and then performed a re-install of Sierra but trust me, it wasn't ez to get there. The computer (mid 2014) had HSierra on it and to be candid, High Sierra seemed just terrible to me from the perspective of reliability. (e.g., slow start-up, no wake, turning off randomly when the computers only been closed, etc..etc)

Obviously, the new mbp will be delivered to me w/HS installed. I am looking forward to Mojave and have high hopes for it. (I loved Snow Leopard but that's neither here nor there)

My troubles in getting my desktop up & running seemed far out of the ordinary and I have a sense (don't know why) that a lot of it has to do with FV. Frankly, I don't know. What I do know is this..my recent experience has struck very similar to my Windows days & that's a punishment near as death so far as I'm concerned.

'It just works' - I really, really hope Mojave will inspire that same sort of confidence once again.

..sorry for the ramblings..

 

[sosumi99]

Sounds about right, and also is why enabling filevault is essentially instant.

This is a really helpful discussion. Does this mean that on a T2-equipped Mac, enabling FV therefore imposes no performance penalty whatsoever?

I’m also curious as to how this affects the use of software like Carbon Copy Cloner to create a bootable backup. I’ve seen discussions of how to do this with FV-enabled disks, but not how this interacts with the T2-enabled-by-default disk encryption. Thanks in advance for any clarification.

 

[buran-energia]

It offers local protection, and even then I have a feeling that Apple, NSA and certain third party companies can still access it, as it's not open source and we can't check

If you buy a Touchbar equipped MBP, then your disk will be encrypted anyways. I'm still not sure what advantages enabling FV is on these machines, but the data is encrypted.

Maybe on 2018, but on previous versions, you should be able to get access by booting macOS via external drive or other OS.

 

[Porkchop Sandwich]

fwiw - the only way I was able to get the drive on the backup computer up and going again was to pull the drive & shove it into an enclosure I already had. Once installed into the enclosure; I used disk utility from my iMac to wipe the drive. Following that, I did a fresh install of Sierra while making the new enclosed drive bootable. Once I verified I could boot the drive, out of the enclosure it came and back into it's proper spot within the computer. I'm still dealing with slow wake-ups but at least I can get into the damn thing.

Once I had all that in place, I installed a spare drive I had from a '13 MBP that was rained on and lost..(I know, I'm an idiot). I wiped the drive, installed a bootable copy of Sierra, and then used Migration assistant to 'restore' my most sensitive files, calendar, et al from a TM backup of my workhorse computer (workhorse computer's fine btw). Now at least I can rest assured I have 'my computer' tucked away in a safe (on the enclosure) should troubles persist. As I said, my workhorse computer is fine, thankfully, but I aint' taking any chances!! How sad is that? My workhorse is a 2017 15" mbp.

 

[iMacDragon]

This is a really helpful discussion. Does this mean that on a T2-equipped Mac, enabling FV therefore imposes no performance penalty whatsoever?

I’m also curious as to how this affects the use of software like Carbon Copy Cloner to create a bootable backup. I’ve seen discussions of how to do this with FV-enabled disks, but not how this interacts with the T2-enabled-by-default disk encryption. Thanks in advance for any clarification.

That is my understand, no performance penalty at all on T2 systems, can't comment on bootable backups, though, such things in general seem slightly more complicated with the new security settings.