Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Filevault needed on a MBP 2019 with T2 chip?

M

MrMister111

macrumors 68040
Original poster
Jan 28, 2009
3,900
382
UK
Should you enable FileVault on a MBP 2019 with the T2 chip? It has an SSD and I believe the T2 is a security chip as well. But being a laptop could be lost, left etc.

It would be protected also with touchID and find my Mac, but suppose could either if lost be reformatted or SSD removed etc.

If FileVault is enabled does it slow down on day to day use? Imagine a bit better on an SSD but not sure if would or not.

What do others do?
Thanks
 
casperes1996 said:
With the T2 chip in it, it's actually the case that the drive is encrypted regardless of whether or not you enable file vault. The only difference, I believe, is that file vault salts the encryption with a password of your choosing rather than just the T2's own hash. So there's no slow-down
Click to expand...

That's not true (none of it)
That's not entirely true
You can launch a T2 Mac in target disk mode and get data off if there's no FileVault.

The only thing T2 prevents (if you enable it, or rather, it's enabled by default):
- Only current signed OS version can boot it
- Only internal OS can boot it (no external booting)

but you can still run Target Disk Mode without it and access everything on the drive.
If you have FileVault enabled, the contents of the SSD are encrypted behind a password and can only be read if password is entered, else they're just garbled data

And yes, it's a performance hit using Filevault vs not using it. On T2 Macs, it's much faster than on previous generations and it doesn't task CPU as much, so its effectively negligible, but it's there nonetheless.

edit: Redacted
 
Last edited:
maflynn said:
But the data on the disk is encrypted, with or without FileVault.
Click to expand...
I mean. It doesn't really matter at all. You can access the data without password if you have physical access to the Mac in question, and you can't if you have FileVault enabled.

You cannot get the SSD out because its soldered, and even then (in case of iMac Pro), the SSD is just NAND chips, T2 being the controller of said chips, so without T2 you couldn't access it whether it was encrypted or not, because of Apple's proprietary way of handling the control of the storage chips.

I also believe the chips are paired to the T2 chip, because you need to do some security magic to enable new boards in case of removable storage.

But again, it's irrelevant in the case of MacBooks because the T2 and NAND is soldered on the same board. You could rip the board out, put it in a working mac, run it in target disk and get DATA off.

EDIT:
you're right about encryption tho

I edited both my posts to reflect that
[automerge]1572261675[/automerge]
What happens if you have a T2 Mac (that without FileVault you can easily wipe without a password) and you remotelock it via iCloud? Does it lock down even if a wipe is done on the original system?

Because I was under the impressions that OS installation is tied to Find My Mac (because I have Find My Mac enabled per-OS, not per-Mac basis)
 
Last edited:
So I’m still confused! This would be a MacBook Pro, so let’s say lost/stolen of the whole MacBook Pro what would happen?

I know would have “find my Mac” which I believe you can remote erase? That would be first thing to do, but if didn’t have access to this quickly could someone in this target mode without FileVault on get your data, and maybe passwords?
 
It is encrypted in either case. From Apples T2 Security document:

If FileVault isn’t enabled on a Mac with the T2 chip during the initial Setup Assistant process, the volume is still encrypted, but the volume key is protected only by the hardware UID in the Secure Enclave. If FileVault is enabled later—a process that is immediate since the data was already encrypted—an anti-replay mechanism prevents the old key (based on hardware UID only) from being used to decrypt the volume. The volume is then protected by a combination of the user password with the hardware UID as previously described.
Click to expand...

Apple T2 Security Chip: Security Overview [pdf]https://www.apple.com › mac › docs › Apple_T2_Security_Chip_Overview
 
  • Like
Reactions: chabig and maflynn
MrMister111 said:
So I’m still confused! This would be a MacBook Pro, so let’s say lost/stolen of the whole MacBook Pro what would happen?

I know would have “find my Mac” which I believe you can remote erase? That would be first thing to do, but if didn’t have access to this quickly could someone in this target mode without FileVault on get your data, and maybe passwords?
Click to expand...

Yes. If you don't enable filevault, despite the encryption, someone with physical access to your computer could run it in target disk mode and get all the data before computer could access any networks to lock itself up.

If you are afraid of that happening, you should set a FileVault password. On a T2 mac, it shouldn't affect performance at all.

All the people saying that it's encrypted are correct, however, because the person accessing your data would have access to both the key stored without password (T2 chip) and data at the same time, he could access it via target disk mode.

The non-password protected encryption would make the data unreadable if you would somehow get SSD chips without the paired T2. Aside from physically unsoldering them, that's a very unlikely scenario in a MacBook Pro, because they're on the same motherboard.
[automerge]1572267905[/automerge]
Howard2k said:
It is encrypted in either case. From Apples T2 Security document:



Apple T2 Security Chip: Security Overview [pdf]https://www.apple.com › mac › docs › Apple_T2_Security_Chip_Overview
Click to expand...

The issue here is that while it's encrypted, your mac gets stolen with the key which is in the T2, so effectively without password, it's like someone stole a locked briefcase with key attached to it.

It just means that putting same SSD chips to another T2 chip will render the SSD unreadable by them, but this is only applicable to the iMac Pros and Mac Pros as of now.

There's no practical way of separating T2 (encryption) and data (storage) on a MacBook, because they're soldered to the same board.

edit:
The only other thing that's possible is that target disk mode requires Firmware password, if one is set?
But I don't recall having to do anything of such when running my T2 macs in target disk... (I have FileVault disabled)
[automerge]1572268440[/automerge]
Writeup:
I just tried booting my Mini 2018 in Target Disk Mode, with Filevault disabled. Just held T. No password needed. So T2 autodecrypts the drives in target disk if no password is set.

So it's indeed as I speculated. The encryption itself, if not password protected, prevents SSDs to be read by another T2 chip, if you somehow got storage only without T2 chip (applicable in an iMac Pro) but that's it
 
Last edited:
So a risk then, really should have FileVault on then if this is the case.

Wonder how many do have it enabled then
 
MrMister111 said:
So a risk then, really should have FileVault on then if this is the case.
Click to expand...
Particularly with the new T2 Mac like you have that has no speed hit, there really is no good reason not to enable FV. It gives you added security.

When you set it up make sure you make a recovery code and print it out and save it somewhere, because if you forget that password your data is going to be locked up.

I always enable it first thing out of the box.
 
MrMister111 said:
So a risk then, really should have FileVault on then if this is the case.

Wonder how many do have it enabled then
Click to expand...
I always have my FileVault on. As others have said, people can access your data (by using it as a target mode) if it is not turned on.

Having FileVault on along with disabling external boot will render your MBP useless for anyone who takes your MBP.
 
MrMister111 said:
Should you enable FileVault on a MBP 2019 with the T2 chip? It has an SSD and I believe the T2 is a security chip as well. But being a laptop could be lost, left etc.

It would be protected also with touchID and find my Mac, but suppose could either if lost be reformatted or SSD removed etc.

If FileVault is enabled does it slow down on day to day use? Imagine a bit better on an SSD but not sure if would or not.

What do others do?
Thanks
Click to expand...
I tried to enable FileVault once and I immediately noticed how much slower my 2019 MBP 15 became so I turned it off right away.
 
Ultra Male said:
I tried to enable FileVault once and I immediately noticed how much slower my 2019 MBP 15 became so I turned it off right away.
Click to expand...

There is no performance difference. As others have already said, the disk is always encrypted. The only thing turning file vault on does is that it allows you to set a password. Your performance issues were either because if some bug, the machine updating the encryption state or possibly unrelated.
 
  • Like
Reactions: me55 and Ploki
leman said:
There is no performance difference. As others have already said, the disk is always encrypted. The only thing turning file vault on does is that it allows you to set a password. Your performance issues were either because if some bug, the machine updating the encryption state or possibly unrelated.
Click to expand...
Perhaps because it was still encrypting the entire disk it was slow. Anyway, I have no need for it. To each his own.
 
Ultra Male said:
Perhaps because it was still encrypting the entire disk it was slow. Anyway, I have no need for it. To each his own.
Click to expand...

You don’t need it though, until you need it...

That’s my worry that it slows down. I wouldn’t be taking the MacBook outside, but then again, easy to pickup if a burglary happens.

Is it easy to enable again and let it do its thing for a few hours and then try again? You say it slow, was this immediate and how did you tell? Hanging, programs taking longer? Access of disks etc longer?

Thanks
 
chrfr said:
It was something else. T2 disks are always encrypted even if you haven't turned on FileVault. Because the disk is always encrypted, turning on FileVault happens instantly.
Click to expand...
But if I do encrypt it and at some point I format my laptop, will I have any issues reinstalling macOS? or simply enter the encryption password and I'm done?
 
chrfr said:
It was something else. T2 disks are always encrypted even if you haven't turned on FileVault. Because the disk is always encrypted, turning on FileVault happens instantly.
Click to expand...

So why isn’t FileVault enabled by default on SSD with T2 chips? Seems to be better and so Apple should. I agree with choice but enable by default and explain why it’s on and what happens if off?
 
MrMister111 said:
So why isn’t FileVault enabled by default on SSD with T2 chips? Seems to be better and so Apple should. I agree with choice but enable by default and explain why it’s on and what happens if off?
Click to expand...

when you first setup your mac, FileVault is enabled. You have to consciously click "do not use FileVault" before proceeding.
 
  • Like
Reactions: MrMister111
If you have several computers, given that everything is synchronized through iCloud, it looks like File Vault would need to be turned on on all of them. Also, what happens with the IOS devices? (There is no File Vault equivalent on an IOS device, right?)
Or, once covered by File Vault, you will be askEd for password no matter where they’re accessed from?
 
sdp77 said:
If you have several computers, given that everything is synchronized through iCloud, it looks like File Vault would need to be turned on on all of them. Also, what happens with the IOS devices? (There is no File Vault equivalent on an IOS device, right?)
Or, once covered by File Vault, you will be askEd for password no matter where they’re accessed from?
Click to expand...
FV has no impact on how iCloud data works. You can have various devices with some encrypted and others not, and it does not matter for your iCloud data. It is all accessed the same way.
 
  • Like
Reactions: Peadogie
MrMister111 said:
So why isn’t FileVault enabled by default on SSD with T2 chips? Seems to be better and so Apple should. I agree with choice but enable by default and explain why it’s on and what happens if off?
Click to expand...

Probably because a lot of people forget their passwords and Apple can't decrypt disks encrypted with FileVault.
 
So has anyone, consumers or testers/magazine/tech staff done any tests that test all this? Specifically if it does indeed impact speed across the board on different apps etc?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back