I have been a staunch opponent of Filevault for most users under most conditions since its inception. Filevault 1 was a total POS and cost more users stability and speed than I care to remember.
Filevault 2 has been over all more stable in my experience but still, maybe because it was done in software which would always have a performance hit I sneezed at it, again, for most users.
Now I have a 2019 MacBook Pro with this snazzy T2 (it sucked in 2018, sorry to the Bridge OS crash sufferers but this one seems to be acting like a model citizen) and according to this doc:
https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf
...is now doing many cooler tricks than it used to.
Im gonna add my commentary first:
I am now:
a) using Filevault encryption whether I like it or not
b) not susceptible to a performance penalty because its done totally in hardware a la "line-speed"
c) a moron for not turning Filevault On which really only serves to brand the encrypted data with a custom password instead of the default option.
From the Introduction:
A dedicated AES hardware engine included in the T2 chip powers line-speed encrypted storage with FileVault. FileVault provides data-at-rest protection for Mac.
Reproduced from Page 5:
APFS encrypted storage
The Apple T2 Security Chip provides a dedicated AES crypto engine built into the DMA path between the flash storage and main system memory (see Figure 1), making internal volume encryption using FileVault with AES-XTS highly efficient.
Internal volume encryption and FileVault
In Mac OS X 10.3 or later, Mac computers provide FileVault, built-in encryption capability to secure all data at rest. FileVault uses the AES-XTS data encryption algorithm to protect full volumes on internal and removable storage devices.
On Mac computers with the Apple T2 Security Chip, internal volume encryption leverages the hardware security capabilities of the chip. After a user enables FileVault on a Mac, their credentials are required during the boot process.
....
If FileVault isn’t enabled on a Mac with the T2 chip during the initial Setup Assistant process, the volume is still encrypted, but the volume key is protected only by the hardware UID in the Secure Enclave. If FileVault is enabled later—a process that is immediate since the data was already encrypted—an anti-replay mechanism prevents the old key (based on hardware UID only) from being used to decrypt the volume. The volume is then protected by a combination of the user password with the hardware UID as previously described.
---
Again. This is great. Am I missing anything?
Filevault 2 has been over all more stable in my experience but still, maybe because it was done in software which would always have a performance hit I sneezed at it, again, for most users.
Now I have a 2019 MacBook Pro with this snazzy T2 (it sucked in 2018, sorry to the Bridge OS crash sufferers but this one seems to be acting like a model citizen) and according to this doc:
https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf
...is now doing many cooler tricks than it used to.
Im gonna add my commentary first:
I am now:
a) using Filevault encryption whether I like it or not
b) not susceptible to a performance penalty because its done totally in hardware a la "line-speed"
c) a moron for not turning Filevault On which really only serves to brand the encrypted data with a custom password instead of the default option.
From the Introduction:
A dedicated AES hardware engine included in the T2 chip powers line-speed encrypted storage with FileVault. FileVault provides data-at-rest protection for Mac.
Reproduced from Page 5:
APFS encrypted storage
The Apple T2 Security Chip provides a dedicated AES crypto engine built into the DMA path between the flash storage and main system memory (see Figure 1), making internal volume encryption using FileVault with AES-XTS highly efficient.
Internal volume encryption and FileVault
In Mac OS X 10.3 or later, Mac computers provide FileVault, built-in encryption capability to secure all data at rest. FileVault uses the AES-XTS data encryption algorithm to protect full volumes on internal and removable storage devices.
On Mac computers with the Apple T2 Security Chip, internal volume encryption leverages the hardware security capabilities of the chip. After a user enables FileVault on a Mac, their credentials are required during the boot process.
....
If FileVault isn’t enabled on a Mac with the T2 chip during the initial Setup Assistant process, the volume is still encrypted, but the volume key is protected only by the hardware UID in the Secure Enclave. If FileVault is enabled later—a process that is immediate since the data was already encrypted—an anti-replay mechanism prevents the old key (based on hardware UID only) from being used to decrypt the volume. The volume is then protected by a combination of the user password with the hardware UID as previously described.
---
Again. This is great. Am I missing anything?