Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

FileVault - Yes or No

SRQrws

macrumors newbie
Original poster
Aug 4, 2020
23
22
I'm curious as to how many people use FileVault and if it's really necessary on Macs with SSDs, T2 chips and auto-login disabled. I guess my question is, if you are set up to always require a password for login and you don't have a platter HDD that could be removed if stolen and accessed, is FileVault really necessary? I do encrypt my Time Machine backups on external drives and clearly understand the reason for doing so. But with the T2 chip, if someone stole the Mac and removed the SSD, could they get data from it? This may be a trivial question for the experts here, but I appreciate anyone's thoughts.
 

hobowankenobi

macrumors 68000
Aug 27, 2015
1,611
560
on the land line mr. smith.
A fair question. I think the answer will vary widely based on lots of variables, including overall security config, use/travel/theft risk, and what is on the machine (how sensitive).

Back in the bad old days, as you rightly point out, it was fairly trivial to access a drive via TDM, or remove the drive to access data.
OTOH...whith spinning disks, performance hits as well as initial encryption time was good reason NOT to encrypt it.

All of that is essentially gone now (at least on recent Macs) so...the old habits (both for and against) need to be retired.

The only reason that gives me pause to use filevault is on mutli-user machines, such as a school lab or shared work station.

That...and the fear that some users simply will forget their PW, and that becomes a pain for everybody, in a much bigger way than just forgotten log-in credentials.
 
Comment

TrevorR90

macrumors 6502
Oct 1, 2009
278
181
I don’t think having it on will hurt performance in any way. It’s another layer of security and like I said, it doesn’t hurt to have it on.
 
Comment

Boyd01

Moderator
Staff member
Feb 21, 2012
5,273
2,478
New Jersey Pine Barrens
I don't have an external GPU, but there has been discussion in the Mini forum that with filevault enabled, the password prompt will only appear on a directly-connected monitor. So, if your monitor(s) are connected to the eGPU, you don't see the password dialog at startup.
 
  • Like
Reactions: Yebubbleman
Comment

Apple_Robert

Contributor
Sep 21, 2012
20,977
23,582
In the middle of several books.
With the newer machines, you can’t tell that FV is on. It is that seamless. I highly recommend turning it on.

I agree with the prior posts talking about the slow old days. The lag was noticeable and it would take days to encrypt a large drive. Glad those days are over.
 
  • Like
Reactions: Photopooba
Comment

mj_

macrumors 65816
May 18, 2017
1,132
718
Austin, TX
But with the T2 chip, if someone stole the Mac and removed the SSD, could they get data from it?
Admittedly, that would no longer be possible. However, there are still multiple ways to access your files with FileVault2 disabled. For example, you could boot into target disk mode and have full access to the drive. If your Mac has booting from external sources enabled you could also boot from a USB drive and have full access to the drive. Booting from external sources is not enabled? No biggie, just boot into recovery and either make a full copy using disk utility or, even better, use the Terminal to reset the user's password, then simply boot the Mac normally and have full access to everything on the drive.

There are probably more ways that I did not think of right now.
 
Comment

SRQrws

macrumors newbie
Original poster
Aug 4, 2020
23
22
Admittedly, that would no longer be possible. However, there are still multiple ways to access your files with FileVault2 disabled. For example, you could boot into target disk mode and have full access to the drive. If your Mac has booting from external sources enabled you could also boot from a USB drive and have full access to the drive. Booting from external sources is not enabled? No biggie, just boot into recovery and either make a full copy using disk utility or, even better, use the Terminal to reset the user's password, then simply boot the Mac normally and have full access to everything on the drive.

There are probably more ways that I did not think of right now.
Thank you for the detailed info. I had no idea there were multiple ways to circumvent the login password to access data. I just enabled FileVault on all my Macs.
 
Comment

sgtaylor5

Contributor
Aug 6, 2017
255
121
Cheney, WA, USA
Point of interest: I know this fact isn’t relevant to modern MacBook Pro with the T2 chip, but I recently found out that FV made my late 2013 MBP (i5/8/256) run 2 or 3 degrees warmer (consistently on High Sierra and Mojave, using Macs Fan Control set at 3000 rpm and CPU PECI as the temp source)
 
Comment

mj_

macrumors 65816
May 18, 2017
1,132
718
Austin, TX
That's because the CPU in your 2013 is so old that it lacks the hardware decryption logic (AES-NI) required for quick and efficient on-the-fly de- and encryption, which must therefore be performed using regular x86 ALU execution units. As far as I understand older implementations of AES-NI lack support for a specific algorithm that Apple uses for FileVault2 encryption but don't quote me on that.

More recent implementations of AES-NI should no longer have that problem.
 
Comment

sgtaylor5

Contributor
Aug 6, 2017
255
121
Cheney, WA, USA
Thank you for that explanation; others who visit this thread will want to see it.

Only in the computer industry could a 2013 device be considered “old” <grin>. It took me many decades until the situation was right in my life and I could buy my current Mac at half price when it was five years old. Love it; it’s been a workhorse for me.
 
  • Like
Reactions: Boyd01
Comment

avz

macrumors 65816
Oct 7, 2018
1,196
1,338
Thank you for that explanation; others who visit this thread will want to see it.

Only in the computer industry could a 2013 device be considered “old” <grin>. It took me many decades until the situation was right in my life and I could buy my current Mac at half price when it was five years old. Love it; it’s been a workhorse for me.

I have FV enabled on my Late 2008 MacBook on both drives(Mavericks on HFS+ original 5400rpm HDD and Mojave on APFS SSD). I don't notice any performance hits or changes in temperatures. You might want to look into replacing a thermal compound and cleaning the dust inside the machine/replacing a battery.
 
Comment

BuffyzDead

macrumors regular
Dec 30, 2008
120
103
I'm curious as to how many people use FileVault and if it's really necessary on Macs with SSDs, T2 chips and auto-login disabled. I guess my question is, if you are set up to always require a password for login and you don't have a platter HDD that could be removed if stolen and accessed, is FileVault really necessary? I do encrypt my Time Machine backups on external drives and clearly understand the reason for doing so. But with the T2 chip, if someone stole the Mac and removed the SSD, could they get data from it? This may be a trivial question for the experts here, but I appreciate anyone's thoughts.

This timely article will shed more light for all to decide.
 
Comment

Yebubbleman

macrumors 68040
May 20, 2010
3,978
961
Los Angeles, CA
I'm curious as to how many people use FileVault and if it's really necessary on Macs with SSDs, T2 chips and auto-login disabled. I guess my question is, if you are set up to always require a password for login and you don't have a platter HDD that could be removed if stolen and accessed, is FileVault really necessary? I do encrypt my Time Machine backups on external drives and clearly understand the reason for doing so. But with the T2 chip, if someone stole the Mac and removed the SSD, could they get data from it? This may be a trivial question for the experts here, but I appreciate anyone's thoughts.

FileVault 2 being "necessary" is subjective. If you're in a business, it's probably necessary for the exact same reasons that BitLocker or some other Windows full-disk-encryption software package is. If it's just you and you don't have any sensitive information on your Mac, then it's a matter of personal preference.

To answer your question "if someone was able to remove the SSD on a T2 Mac, would they be able to get at the data?", the short answer is no.

The SSDs are integrated (read: soldered) onto the main logic board on MacBook Pros, MacBook Airs, and Mac minis introduced from 2018 onward, so that's not even physically possible. They're technically completely removable on the Mac Pro and iMac Pro, and partially removable on 4TB and 8TB 2020 27" iMacs (in that part of the drive is on the logic board and part of it is in a 2-4TB expansion module). The T2 is the SSD controller on all T2 Macs, and the T2 is paired with the storage at the factory. If you remove the storage modules from the logic board of the T2 Mac it was initially paired with, the data is effectively lost.

As was stated above, you can still use Target Disk Mode on a Mac to get files off without having to enter any kind of password. Yes, your data is always encrypted on a T2 Mac, but you have no protection mechanism in place to block Target Disk Mode from making your T2 Mac still accessible to another Mac.

Turning on FileVault 2 on a T2 Mac doesn't encrypt your drive. The drive is already encrypted by default (and there's no off switch). All it does is associate (and enforce) the protection of having to enter either a key or a username and password when accessing the drive via something like Target Disk Mode. You can functionally enable the same protection to your drive by setting a firmware password. In a business setting, FileVault 2 is much more preferred as you can escrow EVERY FileVault 2 key to a centralized database using an institutional FileVault 2 key. Plus it removes the need of changing EVERY Mac's FIRMWARE PASSWORD when a high-level IT employee leaves the company.

I'm not the biggest on FileVault 2, personally. I think it's clunky and there are inherent quirks that can make diagnosing a Mac with issues all the harder to deal with when enabled. But, certainly, on a T2 Mac, it's made to be so quick and easy you don't need to really think about it. Turning it on and off is instantaneous and ultimately doesn't have the kinds of ramifications you might have on a non-T2 Mac.

I don’t think having it on will hurt performance in any way. It’s another layer of security and like I said, it doesn’t hurt to have it on.

On a T2 Mac, it doesn't impact performance at all. Turning on FileVault 2 on a T2 Mac just associates FileVault with the existing hardware encryption.

Whereas, on a pre-T2 Mac, enabling FileVault 2 requires actually encrypting the drive and will definitely entail slower drive performance. Albeit, the difference in performance won't be noticeable on an SSD safe for super disk intensive workflows. Casual users ought to not notice a difference in performance at all.
 
Comment

mj_

macrumors 65816
May 18, 2017
1,132
718
Austin, TX
Whereas, on a pre-T2 Mac, enabling FileVault 2 requires actually encrypting the drive and will definitely entail slower drive performance. Albeit, the difference in performance won't be noticeable on an SSD safe for super disk intensive workflows. Casual users ought to not notice a difference in performance at all.
Excellent point, I forgot to mention that. I ran benchmarks with on my external Samsung 970 EVO inside a USB 3.2 Gen 1 case on a 2017 iMac, aka one without T2 chip. Without FileVault2 I get over 950 MB/s in both read and write. With FileVault2 enabled I get around 650 MB/s writes around 750 MB/s reads. There is thus a measurable yet unnoticeable impact on storage performance.
 
Comment

cool11

macrumors 68000
Sep 3, 2006
1,529
140
That's because the CPU in your 2013 is so old that it lacks the hardware decryption logic (AES-NI) required for quick and efficient on-the-fly de- and encryption, which must therefore be performed using regular x86 ALU execution units. As far as I understand older implementations of AES-NI lack support for a specific algorithm that Apple uses for FileVault2 encryption but don't quote me on that.

More recent implementations of AES-NI should no longer have that problem.

So, it would be a pain to turn on filevault in my mbp 15' late 2013?

I still do not understand, practically what filevault can offer to a user.

I use to have all my precious/private data, in encrypted dmg images.
I open them when I need something from there, some of them rare, some of them everyday.
I do not say that it is the best encryption tool possibly, but better than nothing.

But still, I cannot measure the advantages and disadvantages, in older or newer macs.
 
Comment

mj_

macrumors 65816
May 18, 2017
1,132
718
Austin, TX
The biggest advantage of FileVault in your specific case would be that you wouldn't have to mess around with encrypted disk images. Your entire drive would be encrypted, including your browser history, your local cache, thumbnails, etc. Everything. It would be much more secure and, most importantly, much more painless and smoother than having to deal with encrypted disk images.
 
Comment

cool11

macrumors 68000
Sep 3, 2006
1,529
140
In a practical way, how Filevault works?
I mean, not much in technical way, but in the daily basis of a user interaction.
Besides the check in the 'security' panel, what else I should do?
And practically, what I gain? If my mbp is stolen, or suddenly should be sent to a repair service, are my data secure and encrypted? More than dealing with encrypted dmg?
Or it is something rather equivalent in terms of real security of data?
 
Comment

hobowankenobi

macrumors 68000
Aug 27, 2015
1,611
560
on the land line mr. smith.
In a practical way, how Filevault works?
I mean, not much in technical way, but in the daily basis of a user interaction.
Besides the check in the 'security' panel, what else I should do?
And practically, what I gain? If my mbp is stolen, or suddenly should be sent to a repair service, are my data secure and encrypted? More than dealing with encrypted dmg?
Or it is something rather equivalent in terms of real security of data?
Yes. As the drive is encrypted, no data is available until and unless the PW is entered. So...if a machine is stolen, the only easy way access could be gained was if it was logged in and awake. Assuming one does not disable the auto log out on sleep (and lid close), a very unlikely scenario. Even if one could somehow steal a machine while logged in and awake, they would have to be very careful not to let the machine sleep, and they could not easily access or change the PW.

As mentioned, as it is always on, nothing for the user to do. All data and info is safe, 100% of the time.

The only downside I could see is that if a machine was somehow hacked while the user was logged in, data could possibly be seen or copied, assuming the hacker has full access to the open, logged in Mac. Odds of this, compared to be stolen is very, very slight, considering there have been almost zero hacks of Macs that allow remote admin access. And generally speaking, security improves every year, as OS and security features mature. Just in the last 2-3 OS updates we have seen substantial Mac security increases, so the odds of a remote attacker taking control continue to drop, while physical theft is as risky as ever.

And yes, if a machine is sent for repair, and the admin/decrypt PW is given, your data is available to snoopers. One easy way to make it harder is simply creating a second admin account, with a different PW, so no tech can easily log in to your primary account. That would deny any snooping, and one could only access your data with some fairly serious work to change permissions. More than a snooper would do...only a serious hack/theft would attempt.
 
Last edited:
  • Like
Reactions: cool11
Comment

cool11

macrumors 68000
Sep 3, 2006
1,529
140
Filevault password, is the same with log-in password?

Does apple requires such password to be given, when users sent their machines to official apple repair centers?
 
Comment

hobowankenobi

macrumors 68000
Aug 27, 2015
1,611
560
on the land line mr. smith.
Filevault password, is the same with log-in password?

Does apple requires such password to be given, when users sent their machines to official apple repair centers?
Yes, same PW. Nothing else to do or remember.

Only users enabled can decrypt the drive and log in. So yes, if a tech needs to log in, you would have to give a PW. It could be a different account, if it was enabled.
 
  • Like
Reactions: cool11
Comment

jaclu

macrumors newbie
Jan 12, 2021
3
0
With the newer machines, you can’t tell that FV is on. It is that seamless. I highly recommend turning it on.
Not entirely sure what you are meaning in the first sentence. In the sense that you don't notice any performance loss I agree. However, you can tell if FV is on, just do a

diskutil apfs list

And for each Volume it's FileVault status is listed
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.