User profile for user: !cultOfApple
!cultOfApple Author
User level: Level 1
115 points

Full Disk Encryption

  1. If I enable FileVault from System Preferences > Security & Privacy > FileVault, will it do a full disk encryption, including "unused" space or just encrypt the parts of the drive that have data and then encrypt as more writes happen.
  2. How about if I enabled it from Terminal?
  3. And what if I erased the drive and set it up as Encrypted from Disk Utility and then install the OS - will the whole drive be encrypted or encrypt as you write...


Would be reassuring if there was an actual publish from Apple that illuminates this aspect...

Posted on Feb 2, 2019 11:09 AM

Reply

Similar questions

5 replies
User profile for user: etresoft
etresoft
User level: Level 9
57,092 points

Feb 2, 2019 12:02 PM in response to !cultOfApple

  1. I assume it is encrypting the entire disk, including free space, due to how long it takes.
  2. There are a couple of steps to setting up FileVault. Using the Terminal won’t make it go any faster but could omit something important.
  3. The last time I tried, this procedure doesn’t work anymore in Mojave, regardless of whether you have a T2 chip. I used to do this all the time, which is why I made the assumption in #1. If you do a basic encryption of a relatively empty disk, it is very fast. Therefore, FileVault must do a little bit extra.
Reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
149,107 points

Feb 2, 2019 11:55 AM in response to !cultOfApple

1️⃣ “FileVault 2 encrypts the entire drive on your Mac, protecting your data with XTS-AES 128 encryption. And on Mac systems with an Apple T2 chip, FileVault 2 keys are created and protected by the Secure Enclave.”


2️⃣ “FileVault and Encrypted Volumes

When the user turns on FileVault, macOS uses 128-bit AES encryption to encrypt everything on the root volume (...old OS X release caveat expunged).

The system automatically decrypts files upon access if an authorized user is logged in, but the files remain encrypted on disk. This provides maximum security for a user’s files if all of the following are true:

  • {list expunged}”.


3️⃣ “FileVault

Every Mac provides built-in encryption capability, called FileVault, to secure all data at rest. FileVault uses XTS-AES-128 data encryption to secure data on a Mac at rest. This can be applied to full volume protection to internal and removable storage devices. If a user enters an Apple ID and password during Setup Assistant, the assistant suggests enabling FileVault and storing the recovery key in iCloud...

A user who enables FileVault on a Mac is asked to provide valid credentials before continuing the boot process and to gain access to specialized startup modes, such as Target Disk Mode. Without...”


4️⃣ ”Encryption

Security and privacy are fundamental in the design of Apple File System. That's why Apple File System implements strong full-disk encryption, encrypting files and all sensitive metadata.

Which encryption methods are available depends on hardware and operating system support, and can vary for Mac, iPhone, iPad, Apple TV, and Apple Watch.

Apple File System supports the following encryption models for each volume in a container:

Multi-key encryption ensures the integrity of user data. Even if someone were to compromise the physical security of the device and gain access to the device key, they still couldn't decrypt the user's files.

Apple File System uses AES-XTS or AES-CBC encryption modes, depending on hardware.


………… Feel free to rummage further...


But it might be easier to provide a little more detail around what you’re up to here, as there seems to be an unstated question or two lurking...

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Full Disk Encryption

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up