FileVault vs "Native Encryption"

Discussion in 'macOS High Sierra (10.13)' started by Guitar_t-bone, Sep 25, 2017.

  1. Guitar_t-bone macrumors newbie

    Guitar_t-bone

    Joined:
    Sep 25, 2017
    #1
    I installed MacOS High Sierra today. As I was browsing the net, I read that APFS has "native encryption". Does this mean that FileVault is just a redundancy now?

    If I disable FileVault will my data still remain encrypted or has FileVault been converted to basically an on/off switch for the APFS native encryption?
     
  2. Troneas macrumors 65816

    Troneas

    Joined:
    Oct 26, 2011
    Location:
    At the alternatives section.
    #2
    id like to know this too... i formatted the drive to APFS encrypted *and* ive got FV turned on..


    does this mean my drive is encrypted twice?
     
  3. Naaaaak, Sep 25, 2017
    Last edited: Sep 25, 2017

    Naaaaak macrumors 6502

    Joined:
    Mar 26, 2010
    #3
    I am also concerned from a performance perspective. According to this, APFS is significantly slower:

    Code:
    Speed in MB/s:
               HFS+     HFS+ Encrypted    APFS     APFS Encrypted
    1M WRITE   1375     1373              1372     933
    1M READ    2446     2340              2162     1304
    4K WRITE   852      797               502      378
    4K READ    2106     1486              2156     1001

    EDIT: Beta benchmarks.
     
  4. Guitar_t-bone, Sep 25, 2017
    Last edited: Sep 25, 2017

    Guitar_t-bone thread starter macrumors newbie

    Guitar_t-bone

    Joined:
    Sep 25, 2017
    #4
    That's.... That's incredibly disturbing....
    --- Post Merged, Sep 25, 2017 ---
    Then again though... If you look at this video (it's in German, but you can still see the relevant comparisons by reading what's on the guy's screen) it shows improvements in all areas. Also what you posted could be inaccurate since that was from beta. Apple has made performance changes in the last two months since that.
     
  5. cm_junk macrumors newbie

    Joined:
    Jul 24, 2017
    Location:
    Toronto
    #5
    This was done using a beta from July, not the final release.
     
  6. Guitar_t-bone thread starter macrumors newbie

    Guitar_t-bone

    Joined:
    Sep 25, 2017
    #6
    UPDATE: I also posted this question on Reddit. I seem to have found a legitimate answer from there. I copy/pasted it below for those who are still following this thread.



    youngermann 35 minutes ago
    I am pretty sure APFS(Encrypted) == FileVault Encryption
    I did not choose APFS Encrypted option when I format my boot drive for HS install. I formatted it to just APFS.
    When the FileVault option screen comes up. I chose to turn on encryption. After the install, Disk Utility shows the boot volume now as APFS(Encrypted).

    ------------------------

    cbackas42 27 minutes ago
    This is correct. "FileVault" is essentially the marketing name for encrypting the boot volume.

    ------------------------

    Guitar_t-bone[S] 19 minutes ago

    Thank you very much for the clarification.

    Though, I do wonder. Given the fact that both HFS+ and APFS utilize FileVault, what is the difference between the acclaimed APFS "native encryption" and HFS+ "non-native encryption"?

    ------------------------

    cbackas42 14 minutes ago

    HFS+ does not support encryption. In order to accomplish it, a whole new layer called "CoreStorage" was created. CoreStorage can be encrypted, and HFS+ can live inside CoreStorage. CS is sort of a giant hack to graft new capabilities onto an old OS. Using CS Encryption on your boot drive is called "FileVault", but you can certainly CS Encrypt pretty much any drive you want - it's the same encryption.

    APFS supports intrinsically. I'm not sure if it's "stronger" encryption than was CS used or not, but it's certainly more flexible. We aren't seeing the full extent of what it can do just yet (things like per-file encryption) - maybe in future releases. But it's the same situation, it's called 'FileVault' when applied to your boot volume, but you CAN encrypt any volume and it's the same encryption.

    They're just using FileVault as a blanket term so that end users have an idea of what they're getting without having to understand the confusing situation underneath.
     
  7. SRLMJ23 Contributor

    SRLMJ23

    Joined:
    Jul 11, 2008
    Location:
    In between Syracuse, NY and Albany, NY
    #7
    This seems correct because I did a clean install and chose APFS (Encrypted) and when the install was done, I checked to see if I could enable FileVault or not, and it was ALREADY enabled. So APFS (Encrypted) is just APFS with FileVault enabled during installation. At least that is how I see it.

    Thank you for finding this for us that had this question though!

    :apple:
     
  8. Guitar_t-bone thread starter macrumors newbie

    Guitar_t-bone

    Joined:
    Sep 25, 2017
    #8
    I'll be honest. I, being only a moderately tech savvy person, was under the interpretation that "native encryption" meant everything was just encrypted to begin with. I will preface by stating that I did not use FileVault to encrypt my data in previous macOS and OS X versions.

    When I installed High Sierra today, it prompted me to set an encryption password as well as sign into iCloud in case I need to recover my encrypted drive. Thinking nothing of it, I put in the info. Then I noticed that FileVault was beginning to encrypt my drive. I started getting confused since I didn't understand what native encryption was. I was thinking it was encrypting an already encrypted volume. Obviously, that sounded like a really bad idea, so I sought clarification.

    I'm glad to see I'm not the only person that didn't quite understand what was going on.
     
  9. gmanist1000 macrumors 68030

    gmanist1000

    Joined:
    Sep 22, 2009
    #9
    FireVault is just a GUI. The name is throwing people off, but it's the newest version of APFS's native encryption.

    From ArsTechnica: "FileVault in High Sierra isn’t technically full-disk encryption; it merely encrypts the parts of the disk that are actively being used. Other disk encryption systems (including Microsoft’s BitLocker) offer this kind of encryption but also let you go ahead and encrypt all free space on the volume, too, if you want. Apple doesn’t let you choose, and it doesn’t even tell you there’s a difference."
     
  10. Guitar_t-bone thread starter macrumors newbie

    Guitar_t-bone

    Joined:
    Sep 25, 2017
    #10
    Why would you want to encrypt something that simply says, "there is nothing here"?
     
  11. Mike Boreham macrumors 68000

    Joined:
    Aug 10, 2006
    Location:
    UK
    #11
    Good summary. I would just add that because APFS supports encryption, there is no reboot when you turn on Filevault. When you turn on Filevault on an HFS+ volume it has to reboot because of the conversion to CoreStorage.
     
  12. yadmonkey macrumors 65816

    yadmonkey

    Joined:
    Aug 13, 2002
    Location:
    Western Spiral
    #12
    I upgraded my unencrypted drive to High Sierra and APFS today, but see in DU that my boot drive is was not encrypted by default. Am I correct that I need to enable FileVault to get APFS encryption now? But doing so will NOT do the CoreStorage workaround, right?
     
  13. Mike Boreham macrumors 68000

    Joined:
    Aug 10, 2006
    Location:
    UK
    #13
    Correct on both question. You need to turn on FV and it will not convert to CoreStorage, hence no reboot required.
     
  14. curmudgeonette macrumors 6502

    Joined:
    Jan 28, 2016
    Location:
    California
    #14
    Because there might have been something "there". In other words, that file of important data, which you simply deleted, is still on the drive until overwritten. Further, with an SSD, trying to overwrite before delete won't actually wipe out the data. Instead, the block will simply be added to the (end of the) queue of blocks into which to write fresh data.
     
  15. Guitar_t-bone thread starter macrumors newbie

    Guitar_t-bone

    Joined:
    Sep 25, 2017
    #15

    So... I just finished encrypting my drive. It took all night.

    Now I know benchmarks are supposed to be done on an empty drive etc. And this is by no means meant to be taken as gospel.

    However just for the sake of preliminary, non-scientific info, going from HFS+ decrypted to APFS encrypted is as follows according to a simple Blackmagic Disk Speed Test on my Late 2013 MacBook Pro 15inch retina 512GB PCIe SSD:

    HFS+ decrypted = 705MB/s write and 727.2MB/s Read

    APFS encrypted = 684.2MB/s write and 707.7 Read

    This comes down to about a 3% reduction in performance in both read and write.
     
  16. TETENAL macrumors regular

    Joined:
    Nov 29, 2014
    #16
    But the deleted file would still be encrypted "there", if you had encryption enabled before you deleted it.

    Only files deleted before FileVault was enabled would linger unencryptedly in free space.
     
  17. killawat, Sep 26, 2017
    Last edited: Sep 26, 2017

    killawat macrumors 65816

    Joined:
    Sep 11, 2014
    #17
    Also you may be able to infer certain things from the partition map. From a security standpoint, its better to say that all 500 GB of a given sample disk are encrypted rather than only 50 GB of 500 GB being in use, or 450 GB out of 500 GB being used. This can be used to assess, very loosely, how heavily used a machine is and for what purpose.
     
  18. BasicGreatGuy Contributor

    BasicGreatGuy

    Joined:
    Sep 21, 2012
    Location:
    In the middle of several books.
    #18
    For those who updated to High Sierra, (or are thinking about it) and turned on FileVault but did not get a generated master key, you can generate a key for your current system password using the following terminal command.


    sudo fdesetup changerecovery -personal
    you will be promoted for current system password
    enter password again
    a new file vault generated key will be shown in terminal
     
  19. macagain macrumors 6502

    macagain

    Joined:
    Jan 1, 2002
    #19
    So, I did a clean install after formatting the ssd as APFS encrypted. Filevault was automatically turned on. I turned off Filevault, and that caused it to decrypt the entire disk. After decryption, the disk then showed as plain APFS in disk utility.
     
  20. BasicGreatGuy Contributor

    BasicGreatGuy

    Joined:
    Sep 21, 2012
    Location:
    In the middle of several books.
    #20
    My disk is APFS encrypted. I ran a few Black Magic tests. And the first results were slightly slower (especially the read). I left it going and after the 3rd test, the read / write speeds were back up to where they were before I upgraded to HS. Anecdotal I know but, just wanted to throw it out there. I am not really concerned about the slight hit. The stock Apple SSD is still much faster than anything else I have seen. I rather be protected than focus on benchmark tests.
     
  21. SRLMJ23 Contributor

    SRLMJ23

    Joined:
    Jul 11, 2008
    Location:
    In between Syracuse, NY and Albany, NY
    #21
    Thank you for this! I thought maybe I missed where it showed me the key, but now I know it never did show me a key. Did what you said to do and have my key now!

    :apple:
     
  22. Mike Boreham macrumors 68000

    Joined:
    Aug 10, 2006
    Location:
    UK
    #22
    It won't show a key if you chose the retrieve via iCloud account option. I suspect if you let it encrypt during the install it will use iCloud retrieval by default, and you don't get a choice,
     
  23. Mcmeowmers macrumors 6502

    Joined:
    Jun 1, 2015
    #23
    How would an attacker know there is nothing there anyways?
     
  24. thisMRguy macrumors member

    Joined:
    Jan 9, 2013
    #24
    So... let me get this clear. After installing HS I can disable filevault which I presume is active by default as I installed HS over the previous OS?.

    Im not looking to secure my data as such as I don't with this laptop, but having both forms of encryptions would be pointless and take a bigger hit in performance too?
     
  25. SaSaSushi macrumors 601

    SaSaSushi

    Joined:
    Aug 8, 2007
    Location:
    Takamatsu, Japan
    #25
    If you turn off Filevault, you turn off the encryption.
     

Share This Page

47 September 25, 2017