Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

RumorConsumer

macrumors 68000
Original poster
Jun 16, 2016
1,639
1,155
Hey there!
So my new Macbook Pro 2019 has a T2 chip in it which hardware binds my built in SSD to the chip. Cool.

I also have the option to turn on Filevault.

I know it does the algorithm in hardware. Has anybody benchmarked the difference between file vault on or off on these units? Would it mean I simply couldn't target disk mode the machine without entering the password?
 

Thysanoptera

macrumors 6502a
Jun 12, 2018
910
873
Pittsburgh, PA
FileVault on or off is exactly the same. The disk is always encrypted, enabling FileVault is nothing more than password requirement before decryption. With FileVault off the disk will be automatically decrypted on boot up.
 
  • Like
Reactions: chabig

RumorConsumer

macrumors 68000
Original poster
Jun 16, 2016
1,639
1,155
FileVault on or off is exactly the same. The disk is always encrypted, enabling FileVault is nothing more than password requirement before decryption. With FileVault off the disk will be automatically decrypted on boot up.
So turning on the toggle for Filevault in Security System Preferences doesn't at all raise the potential for corruption?
 

RumorConsumer

macrumors 68000
Original poster
Jun 16, 2016
1,639
1,155
Yes, you will have to type password before mounting.
Interesting. Yeah two layers wouldn't make sense I suppose. So if I turn it on it won't have to go through an encryption process? Would you have it on or off and why? Ive just always steered clear of it before now.
 

NoBoMac

Moderator
Staff member
Jul 1, 2014
6,245
4,934
As @Thysanoptera said, APFS volumes are encrypted, whether or not Filevault is on. Filevault adds another layer of encryption: volume encryption key gets encrypted.

https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf

If FileVault isn’t enabled on a Mac with the T2 chip during the initial Setup Assistant process, the volume is still encrypted, but the volume key is protected only by the hardware UID in the Secure Enclave. If FileVault is enabled later—a process that is immediate since the data was already encrypted—an anti-replay mechanism prevents the old key (based on hardware UID only) from being used to decrypt the volume. The volume is then protected by a combination of the user password with the hardware UID as previously described.
 

jchap

macrumors 6502a
Sep 25, 2009
636
1,164
Although perhaps slightly unrelated to this thread, upon reading the documentation mentioned it’s interesting to note that the microphone on Macs with a T2 are hardware-disabled when the lid is closed.

All Mac notebooks with the Apple T2 Security Chip feature a hardware disconnect that ensures the microphone is disabled whenever the lid is closed. On 13-inch MacBook Pro and MacBook Air computers with the T2 chip, this disconnect is implemented in hardware alone, and prevents any software—even with root or kernel privileges in macOS, and even the software on the T2 chip—from engaging the microphone when the lid is closed.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.