Carrying the ignorance along that one would ever want to swap out an NVMe 8TB for bigger as a boot drive makes me wonder if you understand the concept behind such a machine.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Mac Pro Hands-On: Adding Additional SSD Storage Using a PCIe Slot
- Thread starter MacRumors
- Start date
- Sort by reaction score
Carrying the ignorance along that one would ever want to swap out an NVMe 8TB for bigger as a boot drive makes me wonder if you understand the concept behind such a machine.
Build a Ryzen box and it will hang or be faster than the low end Mac Pro. Can be quiet too. Build a Threadripper system and it will run circles around the Mac Pro.
Take the Thousands you save and invest or buy something else.
[automerge]1578103058[/automerge]
His Son's Windows box probably has 1 or 2 NVMe slots on the motherboard for just that. And the flexibility of SATA which, while not fast is quite serviceable for many needs.
Last edited:
I tried that with a maxed out 15" 2012 retina MBP. Wasn't fast enough for work, couldn't play games, and I got sick of hearing the fans blast. Also I really want my portable to be 13" or smaller, and those are slower.
My '09 Mac Pro is still serving me well, and I wish there were a consumer-grade version of the new one to replace it when it eventually fades into obsoleteness. I don't get why the Mac Pro has to be aimed specifically at creative pros with things like workstation GPUs and video accelerators.
[automerge]1578107891[/automerge]
Wow, nice. I'm glad they've ditched the 2013 design in every way.
[automerge]1578108243[/automerge]
That PC doesn't handle disk encryption as well.
Last edited:
Embedded T2 chip provides security of your "valuable" info. if stolen!
Thank you for the replies. Even after reading, I still do not understand the benefit of locking the drive to a computer. Is file vault encryption not good enough?
I'm trying to wrap my mind around the fact that my 2011 Macbook Air has the same amount of base storage as this thing.
I similarly added an extra SSD with some kind of adapter I bought off Amazon for twenty bucks.
But hey, Apple's shares hit $300 and we're almost in a shiny new war so everything's fine
I similarly added an extra SSD with some kind of adapter I bought off Amazon for twenty bucks.
But hey, Apple's shares hit $300 and we're almost in a shiny new war so everything's fine
So that you will not replace it yourself
Windows has Bitlocker and of course Linux system has LUKS which is much more secure than Apples T2 system which is partly relying on obscurity for its security.
Bitlocker is like Apple T2 system which is partly relying on obscurity for its security. So if you are in Windows you are better off with Veracrypt. It can encrypt your boot drive and it is an open source and has been audited by 3rd party organizations.
Which, as you say, runs Windows. Personally I’d much rather deal with Apple’s design “constraints” than deal with Windows.
Looking beyond your own use case, most people aren’t interested in carrying around a laptop. They have phones for mobile basics and a computer at home.
Also, you seem to be suggesting that upgrading a dated MacBook & keeping the monitor is a smarter deal than upgrading a dated iMac. Have you compared the specs of a basic MacBook Air and a basic iMac which both cost $1100? And that’s without factoring in the cost of your monitor. If you really want the portability of a laptop, get one. But don’t think that your paradigm is a better value for the computer you get.
Having a T2 chip is not actually much more secure compared to let say Linux LUKS disk encryption. This is because T2 chip partly relies on obscurity for its security. Meaning we really do not know how things are being done inside the T2 chip. Who knows there is a backdoor or since it can't be audited by 3rd party then we can't really say that the system is to be trusted because in terms of security the first thing to take into consideration is TRUST and trust means transparency.
One argument of having a T2 chip is so that key management is not done by the OS or CPU which might be compromised already. But my take on that argument is that, if the OS or CPU is already compromise then the T2 chip can not protect your data because it will happily decrypt the data and serve it to the OS. I don't think it has the facility to detect if the OS is compromised. I don't think disk encryption was design to protect your data while the machine is on, i think its core design is protecting data at rest.
Another feature of T2 is it always encrypt your data in the SSD whether FileVault is On or Off. FileVault turing ON means merely requiring you to provide password before T2 chip starts decrypting the drive. This means that the master key for decrypting the drive is stored inside the T2 chip and is not protected by your own password. This means anyone who can gain access to the T2 chip will be able to decrypt the drive. I think thats where the obscurity part is involve. Since no one knows except Apple on how T2 chip is managing the keys inside then we are just hoping no one will be able to hack or defeat the whole system. But of course Apple technicians can always access the T2 chip and probably can decrypt your drive for you. And thats a problem since you really don't have total control on the security of your data. It is different from let say Linux LUKS disk encryption in which it will create a master key for encryption/decryption and encrypt this master key using your password or passphrase. This way no one will be able to decrypt your data without your password. Of course they can always torture or intimidate you so that you will give them your password
So to the question, do you really need to lock the drive to the T2 chip to provide better security. I don't think so.
I wish they could have just implemented it in a way that every time you plug-in a different SSD the T2 chip will format the drive and generate a key for that drive and start encryption/decryption on the fly. This way you can swap your drive without the need to visit Apple which hold the key to your SSD. Sadly you do not hod the key to your data
And also, if the T2 chip dies then there is no way to recover your data without recovering first the key. But fortunately T2 chip is robust enough that they don't just die on their own.
FileVault implemented in the kernel can’t completely protect the encryption keys. It’s difficult, but wouldn’t be impossible to extract the keys from RAM if you take control of the kernel. And it requires overhead on all reads and writes on the CPU, as well as duplicating the encryption standard SSDs also perform (that mostly just means you can’t read the raw NAND if someone smashes the SSD controller). As SSD performance increases, this overhead becomes more noticeable.
The T2 takes the load of FileVault away from the CPU, which improves performance, and avoids the double encryption overhead of FileVault on standard SSDs. But the big security win is that the keys when FileVault is enabled shouldn’t ever wind up in RAM, or ever leave the T2 chip. Making it even harder to extract the keys. On top of that, instead of “merely” generating an AES key from a password, which means you can brute force the password of a regular FileVault partition, the final AES key is a unique AES key from the T2, entangled with the password you provide.
Overall, it provides protection against brute forcing against weak FileVault passwords, and makes it so that an attacker can own the kernel and still have the encryption keys kept out of reach.
The cost is that the encryption keys can’t be re-generated on boot/login without that EXACT T2 chip or some very expensive AES brute forcing. But that’s partly the point.
BitLocker works in a similar way, where the TPM is used to house the encryption keys. The difference is that you can generate a recovery key which is a sort of special encryption key that can be used to bypass the TPM and read the drive in situations where you forget your password or the TPM fails.
Having a T2 chip is not actually much more secure compared to let say Linux LUKS disk encryption. This is because T2 chip partly relies on obscurity for its security. Meaning we really do not know how things are being done inside the T2 chip. Who knows there is a backdoor or since it can't be audited by 3rd party then we can't really say that the system is to be trusted because in terms of security the first thing to take into consideration is TRUST and trust means transparency.
One argument of having a T2 chip is so that key management is not done by the OS or CPU which might be compromised already. But my take on that argument is that, if the OS or CPU is already compromise then the T2 chip can not protect your data because it will happily decrypt the data and serve it to the OS. I don't think it has the facility to detect if the OS is compromised. I don't think disk encryption was design to protect your data while the machine is on, i think its core design is protecting data at rest.
Another feature of T2 is it always encrypt your data in the SSD whether FileVault is On or Off. FileVault turing ON means merely requiring you to provide password before T2 chip starts decrypting the drive. This means that the master key for decrypting the drive is stored inside the T2 chip and is not protected by your own password. This means anyone who can gain access to the T2 chip will be able to decrypt the drive. I think thats where the obscurity part is involve. Since no one knows except Apple on how T2 chip is managing the keys inside then we are just hoping no one will be able to hack or defeat the whole system. But of course Apple technicians can always access the T2 chip and probably can decrypt your drive for you. And thats a problem since you really don't have total control on the security of your data. It is different from let say Linux LUKS disk encryption in which it will create a master key for encryption/decryption and encrypt this master key using your password or passphrase. This way no one will be able to decrypt your data without your password. Of course they can always torture or intimidate you so that you will give them your password
So to the question, do you really need to lock the drive to the T2 chip to provide better security. I don't think so.
I wish they could have just implemented it in a way that every time you plug-in a different SSD the T2 chip will format the drive and generate a key for that drive and start encryption/decryption on the fly. This way you can swap your drive without the need to visit Apple which hold the key to your SSD. Sadly you do not hod the key to your data
And also, if the T2 chip dies then there is no way to recover your data without recovering first the key. But fortunately T2 chip is robust enough that they don't just die on their own.
You might want to read this to gain a better understanding.
T2 is not less secure. It's a layer of security through obscurity atop what the others would provide, so at worst it's the same. It's also a hardware accelerator, not only for the encryption but also other seemingly unrelated video stuff.
Also, the best part is it works by default. I'm not up for messing around with third-party disk encryption in Windows, and the performance hit will be nontrivial.
[automerge]1578123895[/automerge]
It's only as strong as your password, so it helps reduce how quickly attackers can guess.
Last edited:
Yes everyone's case is different. Many people who need a laptop not just a phone. My suggestion is that if you need (or would find useful) a laptop, you may be better off buying a slightly higher spec laptop and extra display that an iMac.
I am someone who users a desktop extensively, for me a desktop is a smart decision. Personally the iMac isn't a computer I would consider, I don't like the all-in-one design as I said for and for extend use I find the iMac's glossy glass screen unacceptable, far too much glace and eye-strange. My main desktop is a Windows 10 system that I can upgrade over time. The Mac Pro is way outside my price range. In terms of a value for the computer, for me my Windows 10 system is better than any Mac Apple makes.
Last edited:
Done.
Don't get me wrong T2 enclave is a great technology specially managing keys by itself to avoid doing that in RAM or in CPU which might be compromised but still I can't find any good reason why you can't just plug a new drive and let T2 create a volume key for this new drive using whatever key generation it can deploy.
Aside from security through obscurity I don't like the idea that me being the owner of the data doesn't have access to the volume key but Apple has. That is a big no in digital security. But the big problem really is security through obscurity.
I don't get all you who act as if the T2 is such an important security feature that we should be grateful to have.
Some of you act as if the biggest problem up until now was that there was a huge rash of incidents where desktop computers were being stolen and the countless villains have been harnessing information from people that way.
You're all like a a bunch of nervous suburban housewives worrying about the boogyman child molestor because you heard a story about an incident in Nebraska and how you're afraid to let your kids out to play in your upscale neighborhood.
The fact is, the odds of you getting your desktop computer stolen, then hacked by a person who wants your 'valuable' info is likely WAY less than the odds of you getting in a plane crash in your lifetime.
Furthermore, FileVault encryption will deter probably more than 99% of anyone in the incredibly unlikely event your desktop would get stolen, and for those who are that friggin' nervous all the time, maybe Apple could offer the T2 as an option for those nervous nellies.
Some of you act as if the biggest problem up until now was that there was a huge rash of incidents where desktop computers were being stolen and the countless villains have been harnessing information from people that way.
You're all like a a bunch of nervous suburban housewives worrying about the boogyman child molestor because you heard a story about an incident in Nebraska and how you're afraid to let your kids out to play in your upscale neighborhood.
The fact is, the odds of you getting your desktop computer stolen, then hacked by a person who wants your 'valuable' info is likely WAY less than the odds of you getting in a plane crash in your lifetime.
Furthermore, FileVault encryption will deter probably more than 99% of anyone in the incredibly unlikely event your desktop would get stolen, and for those who are that friggin' nervous all the time, maybe Apple could offer the T2 as an option for those nervous nellies.
Last edited:
Thanks, so the 1To optional MacBook Pro SSD and the 1To optional Mac Pro SSD are the same speed? Or even faster for the MacPro?
Because the internal storage will only contain the OS and a few apps. Very few people will add internal storage to their Mac Pro.
As far as I know it is exactly the same. But since the MacBook Pro always had cooling problems and cooling is very important for SSDs one may experience slightly better SSD performance in the MacPro.
oh the makes so much sense, thank-you. I was wondering why you could just add a drive (as in this article) or get a thunderbolt3 external drive with just as much speed. Now it makes so much senseSo that you will not replace it yourself