Encryption with Mac OS

pixel_a_ted

pixel_a_ted

Joined
Sep 23, 2006
Messages
1,263
Location
Pennsylvania
Maybe someone can explain in simple language what the situation is with encryption on a Mac. My understanding is that with the T2 chip recent Macs are by default encrypted. I believe that means that no one who gets hold of your computer or its drive can read what's on it without knowing your password. If that's the case, then what is the need for File Vault?
 
bpdougd

bpdougd

Subscribing Member
Joined
May 3, 2007
Messages
7,220
Location
Colorado Springs, Colorado
Real Name
Doug
The on-board SSD is encrypted but if someone steals your computer that may provide little or no security. If you want to require a password to access the encrypted volume you need to use File Vault.
 
Last edited:
pixel_a_ted

pixel_a_ted

Joined
Sep 23, 2006
Messages
1,263
Location
Pennsylvania
Sorry, but that seems to be what's confusing me. If the SSD is encrypted, why would that provide little or no security? Also, with the default encryption, wouldn't someone need your OS password to access the volume? Is it just that File Vault adds an additional required password?
 
bpdougd

bpdougd

Subscribing Member
Joined
May 3, 2007
Messages
7,220
Location
Colorado Springs, Colorado
Real Name
Doug
pixel_a_ted said:
Sorry, but that seems to be what's confusing me. If the SSD is encrypted, why would that provide little or no security? Also, with the default encryption, wouldn't someone need your OS password to access the volume? Is it just that File Vault adds an additional required password?
Click to expand...
How strong is your OS password? As long as the bad guys don't have your computer you are probably really safe. But if they have the hardware.... depends on the bad guys and their tools and knowledge. FWIW, I don't use File Vault to password protect my boot volume.
 
Walter Rowe

Walter Rowe

Subscribing Member
Joined
Jan 13, 2006
Messages
8,119
Location
Columbia, Maryland
Real Name
Walter Rowe
This article on Apple’s website helps explain things.

https://support.apple.com/en-us/HT208344

Yes, the SSD is encrypted by default. The key to “unlock” (decrypt) the disk is stored in the T2 chip. By default, no password is required to access the key stored in the T2 chip. When the machine is turned on, the boot process reads the key required to decrypt the disk from the T2 chip, and uses it to “unlock” the disk and boot. Requiring a password to log into the computer helps, but clever thieves have ways of cracking the password.

Enabling FileVault creates a wrapper around the key stored in the T2 chip. With FileVault enabled, you cannot boot the system until you enter the correct password to unlock and access the key in the T2 chip that is needed to “unlock” (decrypt) the disk. If the correct FileVault password is entered, the firmware is able to access the key in the T2 chip, use the T2 key to “unlock“ the boot disk, and the boot the system. If the wrong FileVault password is entered too many times, key in the T2 chip used to “unlock” the disk is tossed preventing the data from ever being recovered. There is a preference to enable or disable this erase feature. It is disabled by default.

Even if someone removes the disk from the computer, they will never get your data. They won’t have the T2 chip that has the key required to decrypt the disk. The best they can do is erase the disk.

iOS and iPadOS devices work similarly.

Hope this helps.
 
pixel_a_ted

pixel_a_ted

Joined
Sep 23, 2006
Messages
1,263
Location
Pennsylvania
Thanks Doug and Walter, that clears up a lot. So File Vault adds an additional layer of protection by requiring a password separate from your usual OS password (and presumably more complicated than a typical user password).

Just one question for Walter about your use of the word "boot." Do you mean boot from scratch as as when powering up a machine or does the decryption also occur when logging into a machine that was sleeping?
 
Walter Rowe

Walter Rowe

Subscribing Member
Joined
Jan 13, 2006
Messages
8,119
Location
Columbia, Maryland
Real Name
Walter Rowe
pixel_a_ted said:
Thanks Doug and Walter, that clears up a lot. So File Vault adds an additional layer of protection by requiring a password separate from your usual OS password (and presumably more complicated than a typical user password).

Just one question for Walter about your use of the word "boot." Do you mean boot from scratch as as when powering up a machine or does the decryption also occur when logging into a machine that was sleeping?
Click to expand...
Powering up.

The operating system disk itself is encrypted. It won’t even boot without that first decryption key stored in the T2. FileVault makes it that much harder to get the T2 key. The FileVault password is used in a pre-boot stage to unlock the operating system disk.

By the time you are prompted for a login password, the T2 key has already been used to unlock the operating system disk.
 
You must log in or register to reply here.

Similar threads

Allan
Capture 1 problem - latest version with latest Mac OS
Replies
9
Views
250
Allan
Allan
C
Updating Godox/Flashpoint firmware without Windows (Mac) in the SF Bay Area?
Replies
12
Views
771
Walter Rowe
Walter Rowe
G
Calibrating External Monitor with MacBook Pro M2 Max
Replies
0
Views
582
GeorgeH
G
G
Setup advice for Synology DS923+ 4-Bay NAS
Replies
14
Views
1K
Paul Dunlop
Paul Dunlop
Bohdan
Warning...Mac OS upgrade from 11.2 to 11.21 disaster - Success!!
2
Replies
21
Views
2K
Bohdan
Bohdan

Latest threads

Top Bottom