You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

File Vault after moving to new MBP

I've read that filevaults moved from an old mbp to a new one requires that you turn it off, let it decrypt, and then turn it back on again to get a new recovery key (either in the iCloud account or not). And if you don't, then your old recovery key for your old mbp is orphaned, which include time machine backups as well. So I am trying to be duly diligent by keeping up with that.


I have a 2022 macbook pro M1 SoC machine for a month now, and so far I love it. The old one was a mid 2015, and after moving it over to the new one I wiped the old one completely.


Today on the new one, I turned off FileVault and expected it to take a week to decrypt everything, but to my surprise, it was instantaneous. No progress bar showed (though I might have looked away). And I thought to myself something must be wrong.

I tried "diskutil cs list". and there was no mention of decryption progress or "convertion" or anything like that. It appeared that filevault was turned off. in fact, doing "fdesetup status -extended" confirmed that.


With trepidation in my heart I turned it back on, and it gave me the recovery key prompt, and when I chose the second option, I wrote it down on a sticky note, and then copied and saved it in 1Password as a "Software License" item just to be safe. then I hit continue. And again, I expected it to take a week to encrypt everything, but it didn't. It gave a progress bar that was quickly completed within 30 seconds. And that left me scratching my head.


So I did diskutil apfs list again, and it tells me this:

   +-> Volume disk3s1 DBF7A339-97D7-4A6E-B6FD-C6FD21E31567

  |  ---------------------------------------------------

  |  APFS Volume Disk (Role):  disk3s1 (System)

  |  Name:           Macintosh HD (Case-insensitive)

  |  Mount Point:        Not Mounted

  |  Capacity Consumed:     15759507456 B (15.8 GB)

  |  Sealed:          Yes

  |  FileVault:         Yes (Unlocked)

  |  Encrypted:         No

  |  |

  |  Snapshot:         4F082E01-B6F2-4786-A3F0-2B3B7F81BC40

  |  Snapshot Disk:       disk3s1s1

  |  Snapshot Mount Point:   /

  |  Snapshot Sealed:      Yes

  |


My overall question is How do I turn encryption on if it is already supposed to be on?

What does "FileVault:         Yes (Unlocked)" mean, and am I really encrypted? It says "No" that I am not encrypted.





MacBook Pro (2020 and later)

Posted on Jan 30, 2022 7:04 AM

Reply
Question marked as Top-ranking reply

Posted on Jan 30, 2022 8:52 PM

WillWheaton wrote:

I've read that filevaults moved from an old mbp to a new one requires that you turn it off, let it decrypt, and then turn it back on again to get a new recovery key (either in the iCloud account or not). And if you don't, then your old recovery key for your old mbp is orphaned, which include time machine backups as well. So I am trying to be duly diligent by keeping up with that.

FileVault is bound to each particular Mac. It only protects the data that lives inside the Mac. Once any of that data is moved outside of that particular Mac (example: to an external drive for Time Machine backups), it is outside FileVault's scope of protection, and is decrypted on the fly.


You can't transfer FileVault itself to another Mac, but you can transfer the data from one Mac to another, and then enable FileVault on the new Mac :)


In regards to the rest of your question, enabling or disabling FileVault is now instantaneous on any Apple silicon Mac (M1 and future), or any Intel-based Mac with the T2 Security Chip. As mentioned by HWTech, your data is actually already encrypted by the Secure Enclave, but enabling FileVault provides better security by tying the encryption keys to your password. Without your password or the recovery key, your data is inaccessible when FileVault is enabled.


For the diskutil list output: FileVault is enabled. However, the situation may seem confusing, when another piece of that output says that the volume isn't encrypted. Let me explain.


In macOS Big Sur and later (including macOS Monterey), your Mac uses two important volumes: The Signed System Volume (SSV), and the Data volume.


  • The SSV (usually "Macintosh HD") contains the vast majority of macOS, including most preinstalled apps. It is cryptographically sealed, and the seal is checked against a signed value provided by Apple. Whenever you start up your Mac, it boots from an immutable snapshot of the SSV. This ensures that your Mac always starts up from a perfect copy of macOS. With these strong protections in place, it isn't necessary to encrypt the SSV with FileVault, and it actually remains decrypted even with FileVault enabled. If the SSV is modified in any way (except by macOS updates), your Mac will refuse to start up, and it will prompt you to reinstall macOS. SSV protections are always active, even if FileVault is disabled.


  • The Data volume contains all of your data, apps, and settings. FileVault encryption applies to this volume.


The diskutil apfs list output that you provided describes the SSV, not the Data volume. To verify that FileVault is enabled and the Data volume is encrypted, run diskutil apfs list again, and check the details for "Data" or "Macintosh HD - Data".

Similar questions

7 replies
Question marked as Top-ranking reply

Jan 30, 2022 8:52 PM in response to WillWheaton

WillWheaton wrote:

I've read that filevaults moved from an old mbp to a new one requires that you turn it off, let it decrypt, and then turn it back on again to get a new recovery key (either in the iCloud account or not). And if you don't, then your old recovery key for your old mbp is orphaned, which include time machine backups as well. So I am trying to be duly diligent by keeping up with that.

FileVault is bound to each particular Mac. It only protects the data that lives inside the Mac. Once any of that data is moved outside of that particular Mac (example: to an external drive for Time Machine backups), it is outside FileVault's scope of protection, and is decrypted on the fly.


You can't transfer FileVault itself to another Mac, but you can transfer the data from one Mac to another, and then enable FileVault on the new Mac :)


In regards to the rest of your question, enabling or disabling FileVault is now instantaneous on any Apple silicon Mac (M1 and future), or any Intel-based Mac with the T2 Security Chip. As mentioned by HWTech, your data is actually already encrypted by the Secure Enclave, but enabling FileVault provides better security by tying the encryption keys to your password. Without your password or the recovery key, your data is inaccessible when FileVault is enabled.


For the diskutil list output: FileVault is enabled. However, the situation may seem confusing, when another piece of that output says that the volume isn't encrypted. Let me explain.


In macOS Big Sur and later (including macOS Monterey), your Mac uses two important volumes: The Signed System Volume (SSV), and the Data volume.


  • The SSV (usually "Macintosh HD") contains the vast majority of macOS, including most preinstalled apps. It is cryptographically sealed, and the seal is checked against a signed value provided by Apple. Whenever you start up your Mac, it boots from an immutable snapshot of the SSV. This ensures that your Mac always starts up from a perfect copy of macOS. With these strong protections in place, it isn't necessary to encrypt the SSV with FileVault, and it actually remains decrypted even with FileVault enabled. If the SSV is modified in any way (except by macOS updates), your Mac will refuse to start up, and it will prompt you to reinstall macOS. SSV protections are always active, even if FileVault is disabled.


  • The Data volume contains all of your data, apps, and settings. FileVault encryption applies to this volume.


The diskutil apfs list output that you provided describes the SSV, not the Data volume. To verify that FileVault is enabled and the Data volume is encrypted, run diskutil apfs list again, and check the details for "Data" or "Macintosh HD - Data".

Feb 4, 2022 6:28 PM in response to Encryptor5000

This is great information and quite understandable. Thank you for your succinct answer. It explains a lot and I am even more in awe of this machine now.


Here is the portion of the diskutil output for the "Data" partition:

   +-> Volume disk3s5 6E7A20CB-D014-41C2-8E81-C81BEDB1FF8C

  |  ---------------------------------------------------

  |  APFS Volume Disk (Role):  disk3s5 (Data)

  |  Name:           Data (Case-insensitive)

  |  Mount Point:        /System/Volumes/Data

  |  Capacity Consumed:     239129178112 B (239.1 GB)

  |  Sealed:          No

  |  FileVault:         Yes (Unlocked)

  |

  +-> Volume disk3s6 6FC09796-CA5C-45F7-AED4-3D07BB44C4B8

    ---------------------------------------------------

    APFS Volume Disk (Role):  disk3s6 (VM)

    Name:           VM (Case-insensitive)

    Mount Point:        /System/Volumes/VM

    Capacity Consumed:     7516221440 B (7.5 GB)

    Sealed:          No

    FileVault:         No


disk3s5 seems to have FileVault turned on, but it says "Unlocked"... possibly because I am actually using it when I am signed in or something?


disk3s6 seems to be a VM running on here. not sure what that is all about, but I may have an old VirtualBox that doesn't work anymore or something. I dunno. it's taking up 7.5 GB though. I'll have to research that.



Anyway, thanks for this.

Feb 4, 2022 7:52 PM in response to WillWheaton

Great to hear - glad I could help! It looks like FileVault is indeed enabled for the Data volume. And yes, it is showing as "Unlocked" since you've signed in to the Mac :) It will remain unlocked until you shut down or restart your Mac.


If you ever need to start up from macOS Recovery (shut down your Mac, then hold down Touch ID until prompted), running "diskutil apfs list" from Terminal in there will show the Data volume as locked. It will remain locked until you explicitly unlock it (by mounting it in Disk Utility).

File Vault after moving to new MBP

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.