I want to do a fresh install of MacOS Monterey on a APFS Encrypted drive, how?

[Sarah Hamilton]

My previous intel MacBook Pro let me format my drive as APFS Encrypted, and set a disk password.

Then unlock it and install it. With my Mac mini it shipped with MacOS Monterey so I’m upgrading. Then I want to do a fresh install.

It tried doing a fresh install of bigsur but when selecting the drive it kept displaying a message “you may not install to this volume as it has a disk password”there was no way for me to enter this password and install so I had to do APFS and install

I want my drive to be encrypted

Any ideas guys?

Apple support were clueless

 

[Gnattu]

Apple Silicon Macs uses something more sophisticated to protect internal drive. TL;DR, it encrypts the drive automatically and it does much more than that. The APFS Data Volume is already encrypted since Big Sur, and is protected by the mechanism better than a disk password. The System Volume, however, is not encrypted, but it does not matter because it is meant to be read-only which will not contain any sensitive information.

 

[Significant1]

How does that differ from FileVault?

Protect data on your Mac with FileVault

Turn on FileVault to add an extra layer of security to the encrypted data on your Mac.

support.apple.com

My Data Volume is APFS (Encrypted) and either it is default or you are asked during installation (IIRC it is the latter).

 

[Gnattu]

How does that differ from FileVault?

Protect data on your Mac with FileVault

Turn on FileVault to add an extra layer of security to the encrypted data on your Mac.

support.apple.com

My Data Volume is APFS (Encrypted) and either it is default or you are asked during installation (IIRC it is the latter).

FileVault is a complement to the integrated data protection of Apple Silicon(and T2). Your data volume is still encrypted even with FileVault turned off. Turn FileVault on will protect the key used to encrypt your volume by another "key encryption key" which require your password to be unwrapped (hence the need to enter the password on boot up).

Below are from Apple's platform security guide.

 

[Significant1]

FileVault is a complement to the integrated data protection of Apple Silicon(and T2). Your data volume is still encrypted even with FileVault turned off. Turn FileVault on will protect the key used to encrypt your volume by another "key encryption key" which require your password to be unwrapped (hence the need to enter the password on boot up).

Below are from Apple's platform security guide.

View attachment 1924954

View attachment 1924955

Thanks for detailed explenation. I didn't know the details but I more or less expected it would work something like, except the xART part I had not considered. Since it is not descripted I searched for an explenation:

Explainer: xART and nonces

A strange volume named xART or xarts, secure memory management, and long random numbers: how they fit together to protect against replay attacks.

eclecticlight.co

But what I was really getting at with my replay, is that I don't see difference between enabling filevault during or after installation, instead of manually format as APFS (Encrypted) prior to installation, as OP wants to do.

 

[white7561]

You can't install macos on APFS encrypted partition nowadays. Last time I've tried it doesn't work. The installer says it doesn't want it encrypted. So I formatted it to normal APFS. after done installing I just made sure that the filevault is turned on , on the first setup screen

 

[dmg15]

I have always used the same process detailed in the original post. On my 2017 Intel i7 iMac, I installed Big Sir on an encrypted APFS volume maybe 18 months ago. I just formatted to do a clean install of Ventura and had the same issue as above. I understand why this is the case, I just thought it was worth mentioning that the issue isn't limited to T2 and Apple Silicon devices.