How come MacBooks come as APFS (Encrypted) from the factory but don’t require the key? How can I replicate this?

[rptoma]

If you were to manually erase the drive as APFS (Encrypted), then the encryption key would be required first in order to unlock the drive, and then the user password. But, this is not the case with factory fresh deviecs. Right? But in the case of a new MacBook, it is already APFS (Encrypted) and doesn’t require the encryption key.

Also, what is the key in that case?

How can I achieve the same effect (APFS Encrypted without asking the key before logging in)?

 

[frou]

I think it's something like an initial key is embedded in the T2-Chip/Secure-Enclave at the time the laptop is manufactured. The point being that the SoC and SSD are paired and so the SSD can't be desoldered and then read by another machine. Though filesystems are probably a few levels of abstraction above that?

I remember seeing a long official PDF from Apple explaining their security measures so if someone can find that, the full situation is probably explained there.

 

[NoBoMac]

I remember seeing a long official PDF from Apple explaining their security measures so if someone can find that, the full situation is probably explained there.

https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf

But, what they said. Macs with T2 are like iPhones with disk encryption key stored/secured in T2 and changed with any wipe.

If understanding what OP wants, turn on Filevault. Passcode to unlock T2 key which then unlocks the drive.