Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Sarah Hamilton

macrumors regular
Original poster
Oct 19, 2021
109
24
My previous intel MacBook Pro let me format my drive as APFS Encrypted, and set a disk password.

Then unlock it and install it. With my Mac mini it shipped with MacOS Monterey so I’m upgrading. Then I want to do a fresh install.

It tried doing a fresh install of bigsur but when selecting the drive it kept displaying a message “you may not install to this volume as it has a disk password”there was no way for me to enter this password and install so I had to do APFS and install

I want my drive to be encrypted

Any ideas guys?

Apple support were clueless
 
Apple Silicon Macs uses something more sophisticated to protect internal drive. TL;DR, it encrypts the drive automatically and it does much more than that. The APFS Data Volume is already encrypted since Big Sur, and is protected by the mechanism better than a disk password. The System Volume, however, is not encrypted, but it does not matter because it is meant to be read-only which will not contain any sensitive information.
 
  • Like
Reactions: Sarah Hamilton
How does that differ from FileVault?
My Data Volume is APFS (Encrypted) and either it is default or you are asked during installation (IIRC it is the latter).
 
How does that differ from FileVault?
My Data Volume is APFS (Encrypted) and either it is default or you are asked during installation (IIRC it is the latter).
FileVault is a complement to the integrated data protection of Apple Silicon(and T2). Your data volume is still encrypted even with FileVault turned off. Turn FileVault on will protect the key used to encrypt your volume by another "key encryption key" which require your password to be unwrapped (hence the need to enter the password on boot up).

Below are from Apple's platform security guide.

Screen Shot 2021-12-08 at 16.56.13.png


Screen Shot 2021-12-08 at 16.56.22.png
 
FileVault is a complement to the integrated data protection of Apple Silicon(and T2). Your data volume is still encrypted even with FileVault turned off. Turn FileVault on will protect the key used to encrypt your volume by another "key encryption key" which require your password to be unwrapped (hence the need to enter the password on boot up).

Below are from Apple's platform security guide.

View attachment 1924954

View attachment 1924955
Thanks for detailed explenation. I didn't know the details but I more or less expected it would work something like, except the xART part I had not considered. Since it is not descripted I searched for an explenation:

But what I was really getting at with my replay, is that I don't see difference between enabling filevault during or after installation, instead of manually format as APFS (Encrypted) prior to installation, as OP wants to do.
 
You can't install macos on APFS encrypted partition nowadays. Last time I've tried it doesn't work. The installer says it doesn't want it encrypted. So I formatted it to normal APFS. after done installing I just made sure that the filevault is turned on , on the first setup screen
 
  • Like
Reactions: Sarah Hamilton
I have always used the same process detailed in the original post. On my 2017 Intel i7 iMac, I installed Big Sir on an encrypted APFS volume maybe 18 months ago. I just formatted to do a clean install of Ventura and had the same issue as above. I understand why this is the case, I just thought it was worth mentioning that the issue isn't limited to T2 and Apple Silicon devices.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.