Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

T2 and Filevault

RumorConsumer

RumorConsumer

macrumors 68000
Original poster
Jun 16, 2016
1,664
1,189
A couple questions I am kicking around

1. At this point on the 2018 MBP, Filevault is done via hardware on the T2 which means no performance hit, is that everybody's understanding?
2. If you are wanting to prevent access to the machine, wouldn't a firmware password be enough to lock access provided nobody has your login password?

I want to secure my machine but I don't want to add an actual layer of encryption to my data if I don't have to. Thoughts?
 
CrashTestWalrus said:
The encryption is done already. There isn't an option to have the drive not encrypted now. Turning on FileVault just password protects the decryption key. Here is Apple's support article detailing that:

https://support.apple.com/en-us/HT208344
Click to expand...
Super helpful. So turn on Filevault if you want your Time Machine backups to demand a password to decrypt. But then, turning on Filevault in software on the Mac does or doesnt introduce a level of software encryption and might that jeopardize performance?
 
  • Like
Reactions: Naimfan
I am not even sure that turning on FileVault will have any kind of demand to your time machine backups. Basically what is going on is the SSDs on the MBP and iMac Pro (iMP?) are always encrypted. So if you removed them from the machine and tried to read them somewhere else it wouldn't work. Drive is encrypted and the decryption key is contained within the T2 chip. Without FileVault enabled the Mac will just decrypt your drive at boot with no user input by way of password required. If you turn FileVault on the decryption key isn't available to unlock the drives until a password is entered. Time Machine backups can still be encrypted or not, that toggle is available. Whether you encrypt them or not will determine if they are protected at rest on whatever device they reside on. At least that is my understanding based off the article and my use of the 2018 MBP so far.
 
  • Like
Reactions: NoBoMac and haruhiko
CrashTestWalrus said:
I am not even sure that turning on FileVault will have any kind of demand to your time machine backups. Basically what is going on is the SSDs on the MBP and iMac Pro (iMP?) are always encrypted. So if you removed them from the machine and tried to read them somewhere else it wouldn't work. Drive is encrypted and the decryption key is contained within the T2 chip. Without FileVault enabled the Mac will just decrypt your drive at boot with no user input by way of password required. If you turn FileVault on the decryption key isn't available to unlock the drives until a password is entered. Time Machine backups can still be encrypted or not, that toggle is available. Whether you encrypt them or not will determine if they are protected at rest on whatever device they reside on. At least that is my understanding based off the article and my use of the 2018 MBP so far.
Click to expand...
Got it - and you could also prevent a boot with a firmware password via the T2 (was always available but this time more robustly protected due to the key matching) without enabling software encryption. I think that will probably be my path.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back