Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Vlad Soare

macrumors 6502a
Original poster
Mar 23, 2019
675
652
Bucharest, Romania
Hello,

I've been reading all I could find about FileVault and how macOS encrypts hard drives, but the process is still not completely clear to me.
First of all, I understand that on Macs equipped with a T2 chip the hard drive is always encrypted anyway, using an encryption key that's stored in the T2 chip and is unique to each machine. This makes it impossible to access the data if you physically remove the drive and install it into a different machine.
Right?
However, this leaves the data accessible on your machine even without logging in (say, by booting into recovery mode). This is where FileVault comes in. Besides the already existing T2 encryption, it will also encrypt the drive using your macOS logon password (or a key derived from it), so that nobody but you can read the data.
Am I correct so far?

But this is where things start not to add up anymore, at least to me.

First, enabling FileVault on my Mac in the settings app (it was initially disabled) looked like an instantaneous operation, just like a flip of a switch. It said 'enabled', and that was it, end of story. How come? Shouldn't the drive be re-encrypted with a newly generated key? Surely that must take some time, mustn't it?

Second, if the drive is encrypted with my logon password, then what's the recovery key? Can the drive be decrypted either with my logon password or with the recovery key? Are there actually two different keys that can decrypt the drive independently of one another?
What's the point of having a recovery key? They say it's in case I forget my logon password. But why should I write down and securely store a recovery key, when I could just write down and securely store my logon password?

Third, if my logon password is used as an encryption key (or a part thereof), then how can other users log in? Can any logon password (i.e. for any registered user) decrypt the drive?

Fourth, when I restart the computer I don't get asked for a password to unlock the drive. I only get the usual login prompt after the operating system has loaded. So, I take it that the drive is already unlocked at that point, isn't it? Since the operating system resides on that very drive, I guess it must be decrypted for the OS to load, mustn't it?

Thank you.
 
It's actually fairly straightforward.

T/M Macs always encrypt files. FileVault on these encrypts only the encryption key with the user's password, hence why it's instantaneous. No new/different encryption happens other than on the key.

(The more complex/real answer is that the encryption key is encrypted by an intermediate key that is in turn encrypted by user password; that's how other users can unlock the drive: you add them to the list of accounts that can unlock and they need to provide their password to verify the account's password and they get their own encrypted copy of the intermediate key; see the diagram here)

Intel Macs without T2 will encrypt all/most of the drive when FileVault is enabled (depends on what OS: new OS with APFS, only encrypts what is in use and on demand vs HFS+ full-disk [uses CoreStorage which is basically a disk image/layer between OS and physical drive]).

Why recovery key? What if one does not write down their password(s) correctly, fat fingers their new password(s)? Basically, stuff happens (be it user or OS) and can never be too careful and not have a plan B when your data can become unrecoverable.

Login screen: The initial login screen seen at power-up is coming from a bare-bones OS (the preboot volume: diskutil list from Terminal) to prompt for passwords for accounts authorized to unlock the machine. If password correct, disk starts to decrypt and normal boot begins. So, disk does not decrypt until a valid credential is presented. Once this initial boot happens, if you simply logout of an account, will be presented with standard login screen as drive is now decrypted.

This is a bit old, but the this paper (or the Powerpoint version) still sorta applies as process is somewhat similar today vs then (encrypted plist with HFS+ replaced with Secure Enclave keybag if T/M [still a plist if non-T Intel). And earlier link in post for getting current details on how it works.
 
Last edited:
The encryption process is not instantaneous. You can actually check on its progress from the command line. But, the OS lets you work with the disk during the encryption process.

Someone can probably give you a cleaner way, but with my APFS volumes, I look at "diskutil apfs list". Somewhere in that mess (I have 10 such volumes) is a progress percent for the volume undergoing encryption.
 
However, this leaves the data accessible on your machine even without logging in (say, by booting into recovery mode). This is where FileVault comes in. Besides the already existing T2 encryption, it will also encrypt the drive using your macOS logon password (or a key derived from it), so that nobody but you can read the data.
The data on the SSD is encrypted with a key stored in the Secure Enclave. FileVault encrypts that key with your user credentials. That's why it is instantaneous.
 
Thank you all. It's all clear now. Or at least I think so. I may come back with more questions later.

Actually, I do have another question. When you format an external hard drive as encrypted APFS, does this work the same as FileVault does? My guess would be no, since the encryption key cannot be tied to the current machine and stored in the T2 chip (or the M1 secure enclave) anymore - because that would render the drive unusable in any other machine, which would defeat the whole purpose of an external drive.
I guess in this case the password that you set for the drive is the actual encryption key of the data itself, rather than being used as an encryption key of an encryption key of an encryption key, like it happens with internal drives. Right?

But if that's the case, then I think that changing the encryption password would require decrypting and re-encrypting the drive, wouldn't it? When I changed the password for an external encrypted APFS drive, the process wasn't quite as instantaneous as the activation of FireVault, but still, it took just a few seconds (OK, maybe tens of seconds, I can't remember exactly).
 
But if that's the case, then I think that changing the encryption password would require decrypting and re-encrypting the drive, wouldn't it? When I changed the password for an external encrypted APFS drive, the process wasn't quite as instantaneous as the activation of FireVault, but still, it took just a few seconds (OK, maybe tens of seconds, I can't remember exactly).

Changing the password on an external drive does not redo the encryption of the contents of the drive. I might be using the wrong language, but the drive's password is used to unlock the encryption key, which encrypts the drive's contents. Changing the password does not change the encryption key. Changing the password changes the encryption of the data's encryption key. That's a very small thing to do and virtually instantaneous.

I can't remember exactly, but I think encrypting one of my 4TB external hard disks took a half hour. Even though the drive was completely useable during that time, "diskutil afps list" clearly showed the progress creeping along from 0% to 100% over that half hour.

I tested this just now. I changed the password on an external drive and the output of "diskutil afps list" shows the drive as still fully encrypted.
 
  • Like
Reactions: Vlad Soare
I'm going to some more tests with my afps disks to confirm what the display looks like when I decrypt and encrypt to confirm what I'm saying is true. It appears I have to go through that process to change the password on an encrypted time machine disk (not sure why).

But, I can say for sure that volumes encrypted with Mac OS Extended are handled as "core storage" volumes and "diskutil cs list" shows them; it shows an output field labelled "Conversion Status". I am absolutely sure that I there's a percent value appearing there for core storage volumes during the process.

The timing of your post is quite a coincidence for me since I'm working through some password changes anyway. It's a very hard memorization process for me, but I'm struggling through. :)
 
  • Like
Reactions: Vlad Soare
Changing the password on an external drive does not redo the encryption of the contents of the drive. I might be using the wrong language, but the drive's password is used to unlock the encryption key, which encrypts the drive's contents. Changing the password does not change the encryption key. Changing the password changes the encryption of the data's encryption key. That's a very small thing to do and virtually instantaneous.
I see.
So, when you format a volume as APFS encrypted, the computer generates an encryption key - let's call it K. This K will be used to encrypt the actual data on that volume. Then K is encrypted with your password, which gives a second key, say L. This L is stored somewhere on the drive. The next time you try to use the drive, macOS takes your password, reads L from the drive, combines them to obtain K, then uses K to decrypt the data.
If you want to change your password, then it encrypts K with your new password, which produces a new key, say M. Then L is overwritten by M. From now on, whenever you access the drive, it will decrypt M with your (new) password to get K.
Is this correct?
 
I see.
So, when you format a volume as APFS encrypted, the computer generates an encryption key - let's call it K. This K will be used to encrypt the actual data on that volume. Then K is encrypted with your password, which gives a second key, say L. This L is stored somewhere on the drive. The next time you try to use the drive, macOS takes your password, reads L from the drive, combines them to obtain K, then uses K to decrypt the data.
If you want to change your password, then it encrypts K with your new password, which produces a new key, say M. Then L is overwritten by M. From now on, whenever you access the drive, it will decrypt M with your (new) password to get K.
Is this correct?

I used to really understand encryption in the late 90's. In fact, I studied the ENTIRE "Applied Cryptography" book by Schneier (2nd edition). I gave a talk on one of its topics and even wrote him with a math correction (which I assume he ignored). At this later date, I'm a bit of a dinosaur on the topic. I'm completely unqualified to confirm your mental model of the process. I'll only say that my mental model is consistent with yours.
 
  • Like
Reactions: Vlad Soare
I'm going to some more tests with my afps disks to confirm what the display looks like when I decrypt and encrypt to confirm what I'm saying is true. It appears I have to go through that process to change the password on an encrypted time machine disk (not sure why).

Sorry to say that an APFS used by Time Machine can have its password changed without decrypting and encrypting. So I didn't do the exercise I'd promised.
 
Yeah, actually the external drive I was talking about above was my Time Machine backup. :)
I guess APFS is APFS, whether it's used by Time Machine or not.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.