T2 Mac Owners - to FileVault or Not To Filevault?

[RumorConsumer]

I have been a staunch opponent of Filevault for most users under most conditions since its inception. Filevault 1 was a total POS and cost more users stability and speed than I care to remember.

Filevault 2 has been over all more stable in my experience but still, maybe because it was done in software which would always have a performance hit I sneezed at it, again, for most users.

Now I have a 2019 MacBook Pro with this snazzy T2 (it sucked in 2018, sorry to the Bridge OS crash sufferers but this one seems to be acting like a model citizen) and according to this doc:

https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf

...is now doing many cooler tricks than it used to.

Im gonna add my commentary first:

I am now:

a) using Filevault encryption whether I like it or not
b) not susceptible to a performance penalty because its done totally in hardware a la "line-speed"
c) a moron for not turning Filevault On which really only serves to brand the encrypted data with a custom password instead of the default option.


From the Introduction:

A dedicated AES hardware engine included in the T2 chip powers line-speed encrypted storage with FileVault. FileVault provides data-at-rest protection 
for Mac.

Reproduced from Page 5:

APFS encrypted storage

The Apple T2 Security Chip provides a dedicated AES crypto engine built into the DMA path between the flash storage and main system memory (see Figure 1), making internal volume encryption using FileVault with AES-XTS highly efficient.


Internal volume encryption and FileVault

In Mac OS X 10.3 or later, Mac computers provide FileVault, built-in encryption capability to secure all data at rest. FileVault uses the AES-XTS data encryption algorithm to protect full volumes on internal and removable storage devices.

On Mac computers with the Apple T2 Security Chip, internal volume encryption leverages the hardware security capabilities of the chip. After a user enables FileVault on a Mac, their credentials are required during the boot process.

....

If FileVault isn’t enabled on a Mac with the T2 chip during the initial Setup Assistant process, the volume is still encrypted, but the volume key is protected only by the hardware UID in the Secure Enclave. If FileVault is enabled later—a process that is immediate since the data was already encrypted—an anti-replay mechanism prevents the old key (based on hardware UID only) from being used to decrypt the volume. The volume is then protected by a combination of the user password with the hardware UID as previously described.

---

Again. This is great. Am I missing anything?

 

[leman]

No, you are not missing anything. Your data is encrypted in any case and enabling FireVault simply means that you can provide your own password.

Anyway, the FireVault performance penalty has been zero for all practical intends and purposes for as long as I can remember. You might have see a hit in some benchmarks that describe completely unrealistic conditions, but thats about it.

 

[LogicalApex]

I have a 2018 that hasn't had any BridgeOS issues and I have File Vault on. It allows you to ensure your data is fully encrypted and only accessible by you. Without it, your data can be decrypted and ready by the same board by anyone who has access.

The line speed encryption of the T2 chip on the MacBook SSD is in line with industry norms. Apple can push it further in some areas due to having more control over the entire device, but all modern SSDs do encryption by default. This helps to ensure their wear algorithms are working smoothly (since they are writing encrypted chunks instead of raw data it is far easier to bunch data together and treat it all as "random"). It also helps to reduce wear on SSDs since you can't really "erase" an SSD (especially when you factor in wear leveling algorithms that may prevent you from writing to every memory cell). So "erasing" a modern SSD is really just deleting the stored encryption key and generating a new one.

AES encryption is so well optimized in hardware now that there is zero performance penalties and hasn't been one for a long time.

 

[RumorConsumer]

I have a 2018 that hasn't had any BridgeOS issues and I have File Vault on. It allows you to ensure your data is fully encrypted and only accessible by you. Without it, your data can be decrypted and ready by the same board by anyone who has access.

The line speed encryption of the T2 chip on the MacBook SSD is in line with industry norms. Apple can push it further in some areas due to having more control over the entire device, but all modern SSDs do encryption by default. This helps to ensure their wear algorithms are working smoothly (since they are writing encrypted chunks instead of raw data it is far easier to bunch data together and treat it all as "random"). It also helps to reduce wear on SSDs since you can't really "erase" an SSD (especially when you factor in wear leveling algorithms that may prevent you from writing to every memory cell). So "erasing" a modern SSD is really just deleting the stored encryption key and generating a new one.

AES encryption is so well optimized in hardware now that there is zero performance penalties and hasn't been one for a long time.

Im learning something new every day. Did not know it was well optimized. Its funny, I once heard somebody describe Apple's failings with Siri in terms of how when a feature first debuts if it bites the user they will swear it off and even when the dev fixes it it won't matter because people won't go back to something that bit them when they needed it. I think thats probably what happened w me and Filevault.

 

[Howard2k]

I run it on my 2015 and have not noticed any performance degradation. I wouldn’t hesitate. It’s great these days.

 

[RumorConsumer]

Does this add another layer of protection around deleted files? SSDs are already pretty foolproof in terms of being hard to recover data from that was deliberately deleted.