Formatting 16" as APFS Encrypted Worth It?

[ZombiePhysicist]

So just got my 16" and noticed it's formatted as a regular APFS drive. I know that it has "automatic" encryption with the T2, but some OCD part of me wishes it was formatted as APFS encrypted.

Is it worth doing considering I'm going to put FileVault on anyway?

I don't know if this is a valid scenario, but if you could put the 16" in target drive mode, then I would think the on-the-fly encyrption offered by the T2 would be essentially disabled for it to work in that mode. So it seems to me the system/non-fileVault parts might be accessible that way, and as such, seems like I might want the APFS encrypted format.

Then again, I may easily be misunderstanding things. What say you all, is it worth nuking the drive and formatting with APFS encrypted, and doing a clean install?

 

[alfogator]

Without filevault the drive is encrypted by a key stored in the secure enclave of the T2 chip. This prevents the drive to be readable if extracted from your computer and moved to another machine (for brute force attacks for example), but as long as your machine is on the drive is readable in clear.
If you enable FileVault an additional key is added to the encryption scheme tied to your account password, which then requires both the machine key and your user password to unlock the drive.
You don't actually need to erase the disk, the encryption scheme is designed to allow for this and since the data is already encrypted it will be instantaneous.

You can read more here:
https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf

 

[ZombiePhysicist]

But there is a difference between encrypting the entire drive as APFS Encrypted (and then turning on FileVault as well) and not using just APFS (not encrypted), isnt there?

 

[alfogator]

But there is a difference between encrypting the entire drive as APFS Encrypted (and then turning on FileVault as well) and not using just APFS (not encrypted), isnt there?

On a T2 equipped chip not really, the drive is always encrypted. The only thing that you're changing when enabling filevault (or enabling encryption with diskutil) is setting an additional key.

Without filevault you need the computer to decrypt the disk
With filevault you need the computer and the password to decrypt the disk

This applies only to the internal SSD, external disks work as normal.

 

[ZombiePhysicist]

Yea but there is a 3rd think.

We have the following:

(1) T2 on the fly hard ware encryption on the drive.
(2) APFS ENCRYPTED which format/ecnryptes the entire drive (no? it does this on other machines)
(3) File Vault. You could, I think, layer all 3.

 

[Dovahkiing]

my understanding is that ALL data on a T2 mac - regardless of how the internal SSD is formatted - is stored encrypted and is decrypted by T2 on-the-fly as alfogator explained above.

So, if you encrype the formatting you're doing extra work for no benefit. You wold be encrypting encrypted data.

 

[alfogator]

Yea but there is a 3rd think.

We have the following:

(1) T2 on the fly hard ware encryption on the drive.
(2) APFS ENCRYPTED which format/ecnryptes the entire drive (no? it does this on other machines)
(3) File Vault. You could, I think, layer all 3.

FileVault uses APFS encryption, they are essentially the same thing.
On T2 equipped drives APFS uses T2 hardware acceleration to improve the speed of encryption, so again it is the same thing.

You should just enable Filevault and you will be alright.

The only difference with APFS encryption is how the key is handled.
With basic APFS encryption you supply a disk password and that's required to unlock the disk. With Filevault the disk password is tied to user account passwords so when the system boots it doesn't have to ask you for the disk password to unlock it and you can have multiple users able to unlock the disk without the need of them sharing a single disk password.

If someone connected your computer in target disk mode without Filevault the disk would be automatically unlocked by using the key stored in the secure enclave of the T2 chip.
If you enable disk encryption and use target disk mode you need to supply the disk password to unlock the disk.
If you enable filevault and use target disk mode you need to supply the password of a user of the computer to unlock the disk.

 

[ZombiePhysicist]

FileVault uses APFS encryption, they are essentially the same thing.
On T2 equipped drives APFS uses T2 hardware acceleration to improve the speed of encryption, so again it is the same thing.

You should just enable Filevault and you will be alright.

...

If someone connected your computer in target disk mode without Filevault the disk would be automatically unlocked by using the key stored in the secure enclave of the T2 chip.
If you enable disk encryption and use target disk mode you need to supply the disk password to unlock the disk.
If you enable filevault and use target disk mode you need to supply the password of a user of the computer to unlock the disk.

Thank you, that's super helpful. Why do you think just Filevualt is ok. From your 3 really helpful points at the end, if I understand them correctly...

If you mount my computer in target mode the T2 will unlock the drive, FileVault user data will NOT be accessible, but the system data WOULD be accessible for someone to muck around with (assuming I didn't use APFS Encrypted). Maybe put in malicious code or whatever. However, if I had used APFS encrypted, a malicious actor could not have tampered with the system data (without the password).

Is your point that since it's not my user data, you could always just re-install the system if you had a concern system code was tampered with, and it's just not worth the overhead?

 

[chabig]

Thank you, that's super helpful. Why do you think just Filevualt is ok.

Layering encryption on top of encryption is pointless and counterproductive.

If you mount my computer in target mode the T2 will unlock the drive, FileVault user data will NOT be accessible, but the system data WOULD be accessible for someone to muck around with (assuming I didn't use APFS Encrypted).

When attempting to boot a computer in target disk mode, you’ll be asked for credentials. Without them, there is no target disk mode. Data remains safe.

 

[ZombiePhysicist]

When attempting to boot a computer in target disk mode, you’ll be asked for credentials. Without them, there is no target disk mode. Data remains safe.

that’s password would be for the user data under file vault. But the system volume is not protected by file vault. So wouldn’t it be accessible?

 

[chabig]

that’s password would be for the user data under file vault. But the system volume is not protected by file vault. So wouldn’t it be accessible?

If FileVault is turned on, the computer will not boot to target disk mode until the volume is unlocked with credentials. Nothing at all will be visible, not even a file system. If FileVault is off, I’m not certain but I think the volume is readable in target disk mode.

https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf

 

[alfogator]

Thank you, that's super helpful. Why do you think just Filevualt is ok. From your 3 really helpful points at the end, if I understand them correctly...

If you mount my computer in target mode the T2 will unlock the drive, FileVault user data will NOT be accessible, but the system data WOULD be accessible for someone to muck around with (assuming I didn't use APFS Encrypted). Maybe put in malicious code or whatever. However, if I had used APFS encrypted, a malicious actor could not have tampered with the system data (without the password).

Is your point that since it's not my user data, you could always just re-install the system if you had a concern system code was tampered with, and it's just not worth the overhead?

You raise a very valid point and the answer is far from obvious.

In Catalina the System volume is read only (additionally it's protected under SIP) and gets mounted at / during boot. This volume is not encrypted (as in apfs encrypted with a user key, as we saw everything is encrypted by the T2 chip) but it can be only written by apple installers.
The System - Data volume which contains both user and system mutable data is mapped on top of it by the use of firmlinks at boot time. This volume is the one that gets encrypted if you enable FileVault.

A malicious actor that wanted to tamper with the system would have to be able to either circumvent SIP and gain write access to the System image or unlock the System - Data volume by using a user password or recovery key.

While it's true that you might be able to mount the System volume as RW you would still need to bypass SIP to compromise the machine. That would be a fairly sophisticated attack and if your needs require defending against this level of threat you probably should seek guidance in a more proper venue

 

[fehhkk]

Does enabling FileVault impact the way data is written to external drives?

 

[chrfr]

Does enabling FileVault impact the way data is written to external drives?

No.

 

[ZombiePhysicist]

You raise a very valid point and the answer is far from obvious.

In Catalina the System volume is read only (additionally it's protected under SIP) and gets mounted at / during boot. This volume is not encrypted (as in apfs encrypted with a user key, as we saw everything is encrypted by the T2 chip) but it can be only written by apple installers.
The System - Data volume which contains both user and system mutable data is mapped on top of it by the use of firmlinks at boot time. This volume is the one that gets encrypted if you enable FileVault.

A malicious actor that wanted to tamper with the system would have to be able to either circumvent SIP and gain write access to the System image or unlock the System - Data volume by using a user password or recovery key.

While it's true that you might be able to mount the System volume as RW you would still need to bypass SIP to compromise the machine. That would be a fairly sophisticated attack and if your needs require defending against this level of threat you probably should seek guidance in a more proper venue

Thanks, that's helpful. I guess I'm concerned with a lost laptop. I doubt this is easy, but, if the system is exposed in someway, I wonder if that ultimately doesnt give them more hooks to get at the data. Maybe there are some keys that get cached somewhere or something.

Also, isnt the read/write permission enforced by the system. Meaning, if you boot on another system that doesnt honor read/write, wouldn't that give you access even to a SIP protected volume. Most read/write permissions that are not hardware enforced, normally, are easily over come when mounted on another system.

 

[alfogator]

Thanks, that's helpful. I guess I'm concerned with a lost laptop. I doubt this is easy, but, if the system is exposed in someway, I wonder if that ultimately doesnt give them more hooks to get at the data. Maybe there are some keys that get cached somewhere or something.

Also, isnt the read/write permission enforced by the system. Meaning, if you boot on another system that doesnt honor read/write, wouldn't that give you access even to a SIP protected volume. Most read/write permissions that are not hardware enforced, normally, are easily over come when mounted on another system.

Regarding the System image, even if it's mounted as writeable and modified SIP would render that moot as the contents of the image are checked against cryptographic signatures that only Apple can generate, so you would know if the OS image has been tampered with.

The user data and system configuration (including extensions, etc.) are in the filevault partition so they remain inaccessible. The keys are inside the secure enclave on the T2 chip which is as safe as you can get nowadays.

Anyway there's a simple fix I believe to your troubles: you can set the firmware password: this will require the firmware password at boot time if you try to boot from a different disk or startup in recovery or target disk mode. If you boot normally the firmware password is not required.

So in summary: filevault on + firmware password on and if your computer is lost/stolen it's basically inaccessible.

 

[ZombiePhysicist]

Regarding the System image, even if it's mounted as writeable and modified SIP would render that moot as the contents of the image are checked against cryptographic signatures that only Apple can generate, so you would know if the OS image has been tampered with.

The user data and system configuration (including extensions, etc.) are in the filevault partition so they remain inaccessible. The keys are inside the secure enclave on the T2 chip which is as safe as you can get nowadays.

Anyway there's a simple fix I believe to your troubles: you can set the firmware password: this will require the firmware password at boot time if you try to boot from a different disk or startup in recovery or target disk mode. If you boot normally the firmware password is not required.

So in summary: filevault on + firmware password on and if your computer is lost/stolen it's basically inaccessible.

Thanks. But do you need to supply the firmware password to put the machine into target mode?

 

[alfogator]

Thanks. But do you need to supply the firmware password to put the machine into target mode?

yes

 

[chabig]

This thread has gotten into the weeds. Let's recap the original questions:

Is it worth doing considering I'm going to put FileVault on anyway?

No.

I don't know if this is a valid scenario, but if you could put the 16" in target drive mode, then I would think the on-the-fly encyrption offered by the T2 would be essentially disabled for it to work in that mode. So it seems to me the system/non-fileVault parts might be accessible that way, and as such, seems like I might want the APFS encrypted format.

No.

Then again, I may easily be misunderstanding things. What say you all, is it worth nuking the drive and formatting with APFS encrypted, and doing a clean install?

No.

 

[entropi]

What does this all mean for creating a bootable clone of the start up-disk via SuperDuper? If I turn on the "wrong" way of encrypting, my clone won't be able to boot on another computer if my main computer dies?

 

[chabig]

Your bootable clone won’t be encrypted unless you explicitly encrypt it after creation.

 

[alfogator]

What does this all mean for creating a bootable clone of the start up-disk via SuperDuper? If I turn on the "wrong" way of encrypting, my clone won't be able to boot on another computer if my main computer dies?

I'm not sure 100% about superduper, I stopped using it years ago, so I'll tell you how it works with Carbon Copy Cloner:
You make your first clone unencrypted, then you boot your computer by using the clone and then you enable filevault. In this way macOS will setup encryption properly for your cloned disk.
When you reboot into your normal os and use CCC to update the clone it will ask your for your password to unlock the disk and update the copy. You can have it save the password in the keychain if you want so you don't have to enter it the following times.
In this way you can have a bootable copy that is still encrypted.

 

[ZombiePhysicist]

yes

So I just confirmed this. My machine is formated just APFS (not encrypted). It has FileVault turned on. I put it into target mode and plugged it into another machine. It requires your password for both the data and system volumes to mount.

Thanks all!