Hello all 🙂
This is my 1st post here. So, I hope the following hasn’t been discussed at length already.
I don’t currently use FileVault because I don’t either have anything especially critical on my device (late 2018 model Mac mini) or want the performance hit of running yet another background process. Does the T2 chip improve performance of FileVault should I choose to use it?
thanks
Mac mini 2018 or later
The T2 chip acts as both an SSD drive controller and the encryption management chip. As it therefore offloads all these tasks from the main CPU the performance hit is indeed negligible. In fact it is so low that as Barney mentions all T2 equipped Macs are always encrypted. If you don't specifically turn on FileVault2 then it is merely that the key is then the default one for that Mac/logic board and auto entered. However if you were to remove the SSD and fit it in another Mac it would not work because the key is linked to that unique T2 chip. (Apple apparently have a means of migrating this should the logic board need to be replaced but it is not something normal people can do.)
The T2 chip acts as both an SSD drive controller and the encryption management chip. As it therefore offloads all these tasks from the main CPU the performance hit is indeed negligible. In fact it is so low that as Barney mentions all T2 equipped Macs are always encrypted. If you don't specifically turn on FileVault2 then it is merely that the key is then the default one for that Mac/logic board and auto entered. However if you were to remove the SSD and fit it in another Mac it would not work because the key is linked to that unique T2 chip. (Apple apparently have a means of migrating this should the logic board need to be replaced but it is not something normal people can do.)
You are confusing two related, but not equal things.
FileVault is not encryption, per se. FileVault is the ability to have users decrypt the drive at login instead of requiring a password to decrypt, then log into the computer. FileVault enabled both encryption and easy decryption at login.
Any Mac with a T2 chip is always encrypted. If you don't enable FileVault on those Macs, it decrypts and encrypts on its own.
If you enable FileVault on those Macs, it will only decrypt when a designated user logs in.
When you enable FileVault on a T2 Mac, you will not see the FileVault progress bar as it is already encrypted. The only thing that changes is where/how the encryption credentials are managed.
So, if you enable FileVault on a T2 Mac, you will not notice any difference in performance because nothing really has changed.
Now when initially encrypting the storage, FileVault is stealing some I/O cycles to read storage, encrypt it, then write it back out.
A T2 chip Mac is already encrypted. There is no "initially encrypting the storage."
As far as I know, the current line of intel i5 and i7 CPU chips include encryption/decryption hardware, so there is basically very little to no really impact to running FileVault.
Now when initially encrypting the storage, FileVault is stealing some I/O cycles to read storage, encrypt it, then write it back out. If you are also trying to some storage intensive tasks, during this initial period, you may experience some performance issues. But once the entire storage is encrypted, you should not really notice it, as it will be in the 1% range, if at all.
Also reading data from the disk is decrypted by the device drivers on its want into memory, and writing data back to disk is encrypted by the same device drivers on its way out. It is not a separate process, just a CPU assisted extra step as data passed into or out of memory.
For external drives SSD or traditional spinning drives the Mac T2 chip is not the controller chip. It could be however the encryption calculations are still being processed by the T2 chip, I don't know for certain about this but logically it would still do the encryption processing. I base this on the fact that the video processing definitely is still processed by the T2 chip even if you are booted from an external drive.
Even if the T2 chip in this case is not used FileVault2 is generally regarded as adding only a small overhead.
Note: For external drives the drive would not automatically be encrypted - not even with the logic board key, it would only be encrypted when you specifically encrypt that drive.
A T2 equipped computer, without FileVault active, leaves the drive encrypted at login only decrypting in real time as needed.
I don't know the answer to that.
Here is an article about the encrypted storage provided by the T2 chip, but I can't infer anything about "real time encryption/decryption" from it. About encrypted storage on your new Mac - Apple Support
I had the impression it worked similarly to FileVault 2's encryption/decryption where it decrypts the entire drive, but I might be wrong about that. This statement from that article seems to imply I am correct:
You should also turn on FileVault for additional security, because without FileVault enabled, your encrypted SSDs automatically mount and decrypt when connected to your Mac.
That the T2 chip handles 99.9% of the overhead sounds almost too good to be true, but it makes sense from everything else I've read.
I think I understand you, but would I be correct if I stated the following?
A T2 equipped computer, without FileVault active, leaves the drive encrypted at login only decrypting in real time as needed.
Thanks for the help.
You guys are great! I’ve learned for more than I ever expected from my initial question. Now I have one more.
If I were to add one or more external SSD’s, will they be in any way controlled or encrypted by the T2?
If not, because encryption can no longer be performed entirely by the T2, would adding additional SSDs impact performance?
Thanks everyone for all the help!
Thanks Barney. :)
Why would encrypting be the case at all... if it was all automatic???
Your link does imply such, but it makes no sense to me.
Thanks John, I was wondering if external drives on T2 equipped would forever be tied to a certain Mac & useless otherwise. :)
I hear it drastically increases the speed of encryption, but cannot test it, nor would I since reading the nightmare scenarios when things go sideways. :)
T2 chip improving performance?
