Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Filevault Question

P

Peter Franks

macrumors 68020
Original poster
Jun 9, 2011
2,114
123
I may be missing something really obvious here and this may be something that sounds stupid?
I've never used Filevault ever, and maybe I didn't understand it correctly....

But.... if turning on Filevault is supposed to stop people from being able to view your files and folders if stolen,
When I switch on my Mac, I have to enter my password,
When Filevault is turned on, I have to enter my password.
How is Filevault going to make any difference, if someone has your password alone?

What am I missing here? Basically, if you have my password to log in, if Filevault is on or off, what difference?
Or.... do you have to enter recovery key every time you switch on as well as password, or is that just for turning Filevault on or off?
 
If someone has your computer login password or your disk encryption password Filevault will not help you in any meaningful way.

It’s designed to help you in situations where someone gets physical access to your computer and doesn’t have your login password: there are many ways to access the contents of your disk without knowing the password. Filevault makes it nearly impossible to do so (in any realistic scenario).

Do note that in modern Macs filevault is always on for the internal ssd. If you “disable” it at the os level it is still active so there’s no performance difference but you don’t need the user key to read the disk. This doesn’t apply to external disks.

If you enable filevault for an external drive and allow the Mac to memorize the key then anyone that has your login password can access the keychain and read the disk key from there. If you don’t save the disk key this way and someone doesn’t have the key it can’t read the disk even if he has the login password (unless it’s currently unlocked in your computer) but you will have to enter the key each time you want to unlock the disk.
 
  • Like
Reactions: roronl, Basic75 and Peter Franks
alfogator said:
If someone has your computer login password or your disk encryption password Filevault will not help you in any meaningful way.

It’s designed to help you in situations where someone gets physical access to your computer and doesn’t have your login password: there are many ways to access the contents of your disk without knowing the password. Filevault makes it nearly impossible to do so (in any realistic scenario).

Do note that in modern Macs filevault is always on for the internal ssd. If you “disable” it at the os level it is still active so there’s no performance difference but you don’t need the user key to read the disk. This doesn’t apply to external disks.

If you enable filevault for an external drive and allow the Mac to memorize the key then anyone that has your login password can access the keychain and read the disk key from there. If you don’t save the disk key this way and someone doesn’t have the key it can’t read the disk even if he has the login password (unless it’s currently unlocked in your computer) but you will have to enter the key each time you want to unlock the disk.
Click to expand...

Thank you!!
'there are many ways to access the contents of your disk without knowing the password. Filevault makes it nearly impossible to do so'.
That explains perfectly what I couldn't figure out.

Speaking of external drives. If I turn on FileVault (and I’m still on High Sierra by the way, not modern Mac)… and I CCC as a back up. Does that also encrypt, despite it not being a start up disk back up.

And finally, if I copy stuff for work from Mac to a USB and give it to someone from encrypted drive, is that also encrypted and needs my log in password? Thanks
 
Peter Franks said:
Speaking of external drives. If I turn on FileVault (and I’m still on High Sierra by the way, not modern Mac)… and I CCC as a back up. Does that also encrypt, despite it not being a start up disk back up.
Click to expand...
No, CCC works on a file level, FileVault encrypts on a block level.
Peter Franks said:
And finally, if I copy stuff for work from Mac to a USB and give it to someone from encrypted drive, is that also encrypted and needs my log in password? Thanks
Click to expand...
No, same reason.

Whether the file is read from an unencrypted drive or read from an encrypted drive and decrypted on the fly, the decrypted file is written to the target drive. The target drive might itself have FileVault, with a different password, and in that case it would encrypt the data again, but that's completely independent.
 
  • Like
Reactions: roronl and Peter Franks
Basic75 said:
No, CCC works on a file level, FileVault encrypts on a block level.

No, same reason.

Whether the file is read from an unencrypted drive or read from an encrypted drive and decrypted on the fly, the decrypted file is written to the target drive. The target drive might itself have FileVault, with a different password, and in that case it would encrypt the data again, but that's completely independent.
Click to expand...
Thank you. I don't understand 'file level' and 'block level', but it answers the question as in no it won't be encrypted on the external drive/USB, so thanks for the info.
 
Peter Franks said:
but it answers the question as in no it won't be encrypted on the external drive/USB, so thanks for the info.
Click to expand...
It won't be encrypted by default, but you can encrypt external drives.

You can see here where I have my external CCC backup drive encrypted.

Screenshot 2024-11-03 at 5.53.05 AM.png
 
Last edited:
  • Like
Reactions: Peter Franks
Weaselboy said:
You can encrypt a USB key just like I did my drive. Just click erase in Disk Utility and select APFS encrypted.

View attachment 2446316
Click to expand...
Thank you. So no way of encrypting without erasing a USB stick, Because I presume you can only do USB from Disk Utility as opposed to the switching on Filevault for the internal that doesn't erase drive....
 
Peter Franks said:
Thank you. So no way of encrypting without erasing a USB stick, Because I presume you can only do USB from Disk Utility as opposed to the switching on Filevault for the internal that doesn't erase drive....
Click to expand...

You can encrypt a disk without erasing its contents, provided it is formatted in APFS or HFS+.

Usually USB sticks are formatted FAT32 or EXFAT. You can check a disk's format in finder with the info panel in the "format" header.

If the disk is not APFS or HFS+ you need to reformat it first which will erase its contents. Take note that these formats are readable only from macs (you can buy windows software to read them tho).

If you have an APFS or HFS+ disk that you want to encrypt, in finder right click on the disk icon and a entry "encrypt" will be available. By selecting it you'll be able to pick up an encryption password and start the process.

Encrypting the disk might take a very long time, depending on its size and contents but you can use the disk in the meanwhile and disconnect it, the process will resume when reconnected. Of course the disk will still be not fully protected until the process is done.
 
  • Like
Reactions: roronl, Weaselboy and Peter Franks
alfogator said:
You can encrypt a disk without erasing its contents, provided it is formatted in APFS or HFS+.

Usually USB sticks are formatted FAT32 or EXFAT. You can check a disk's format in finder with the info panel in the "format" header.

If the disk is not APFS or HFS+ you need to reformat it first which will erase its contents. Take note that these formats are readable only from macs (you can buy windows software to read them tho).

If you have an APFS or HFS+ disk that you want to encrypt, in finder right click on the disk icon and a entry "encrypt" will be available. By selecting it you'll be able to pick up an encryption password and start the process.

Encrypting the disk might take a very long time, depending on its size and contents but you can use the disk in the meanwhile and disconnect it, the process will resume when reconnected. Of course the disk will still be not fully protected until the process is done.
Click to expand...
Thanks for that. Well explained. No USB I have is APFS or HFS+ and if they were they probably wouldn't work on a TV after I assume.

I've now turned on Filevault on the MBP with High Sierra and it took around 2 days on a 500 SSD.
Start up is slow now and this overly bright white screen is now the login page, instead of the wallpaper as was before turning it on. And in the top right corner of login page a keyboard icon and 'BRITISH' comes up. Is that usual after Filevault is on?
 
Yes... that is normal. When you turn on FV on a boot drive, when you reboot the Mac is not actually booting from the startup OS partition, but from a small startup volume that is not encrypted. That boot partition presents the login screen that allows you to unlock and boot from the main OS volume.
 
  • Like
Reactions: Peter Franks
Weaselboy said:
Yes... that is normal. When you turn on FV on a boot drive, when you reboot the Mac is not actually booting from the startup OS partition, but from a small startup volume that is not encrypted. That boot partition presents the login screen that allows you to unlock and boot from the main OS volume.
Click to expand...
Thank you!

I won't fully pretend to know what that means, keyboard wise and which boot etc., but as you say it's normal, that's good enough for me. Is that switch-on screen the only option. That overly bright whiteness isn't changeable to something less bright? Thanks again
 
Last edited:
  • Like
Reactions: Weaselboy
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back