Filevault safety in stop mode vs complete shutdown

Hi medialp,

The most secure option is always to shut down your Mac completely. That way, nothing is left in RAM, and everything is properly locked.

I'm not exactly sure what you mean by stop mode. There are two modes that could fit that description:

• Sleep: The Mac is still powered on, but just using less power. If your Mac doesn't have the T2 Security Chip or an Apple silicon chip, an attacker could likely steal the FileVault encryption keys from RAM using a DMA attack via the Thunderbolt port(s).

• Hibernate (write RAM contents to disk and power off): If you explicitly set the correct options via the command-line tool pmset, this could be as secure as a full shutdown (if the destroyfvkeyonstandby option is enabled, and hibernation is forced). Otherwise, it is the same (in terms of security) as regular sleep.

If your Mac has the T2 Security Chip (recent Intel-based Macs) or uses an Apple silicon chip (M1 family and future), security is significantly improved. The Secure Enclave in both systems uses encrypted memory, and has exclusive control over FileVault keys. The Intel CPU or the Application processor (M1) never sees the keys, and they are never stored in regular (unencrypted) RAM. Due to this, an attacker would only be able to extract encrypted keys (which can't be decrypted), and only if the system failed to prevent the DMA attack in the first place. These protections make it a lot safer to leave your Mac asleep.

Thanks for that info about the Stop option!

Unfortunately, there isn't a separate Hibernate option in the menu. Rather, you'd have to change some advanced power management settings in order to manipulate how the Sleep/Stop option works.

For context, these options are available, using the command-line tool pmset:

hibernatemode 0: This is regular sleep, and the default on Mac desktops (Mac mini, iMac, Mac Pro). RAM is powered during sleep, but if power is lost, everything in RAM is lost.

hibernatemode 3: This is regular sleep + hibernation, and the default on Mac notebooks (MacBook 12", MacBook Air, MacBook Pro). RAM is powered during sleep, but it is also dumped to disk. If power is lost, the Mac is "hibernated", as it will restore RAM from the copy on disk on the next boot.

hibernatemode 25: This is true hibernation, and can only be set manually in Terminal. RAM is dumped to disk, and then the computer is powered off. On the next boot, the contents of RAM will be restored from the copy on disk, and the computer will resume exactly where it left off. This mode takes longer to "wake", but it uses less power than sleep.

Since your 16" MacBook Pro has the Secure Enclave (either the T2 Security Chip or within M1 Pro/Max), the FileVault keys should be safe - regular sleep is fine. That said, if you want even greater security (comparable to a true shutdown), you can set hibernatemode to 25, and optionally set destroyfvkeyonstandby to 1. Doing that does the following:

• FileVault uses a hierarchy of keys to protect your data. The lowest-level key is the Volume Encryption Key (VEK), the actual key used to encrypt/decrypt your data.

• When you power on or restart your Mac, the VEK is locked. Once you enter your password, it is transformed into a key that unlocks the Key Encryption Key (KEK). The KEK then unlocks the VEK, and your Mac then continues to start up.

• When your Mac hibernates, normally the unlocked VEK is stored in RAM to help facilitate a faster wake. If destroyfvkeyonstandby is set to 1, the VEK is locked at hibernation time, and you must enter your login password to unlock FileVault before the computer can "wake" from hibernation.

For more info, please see the pmset man page in Terminal:

1. Open Terminal, located in Applications -> Utilities.
2. At the top of the screen, select Help.
3. Type pmset, and select the man page entry that appears.