Want to highlight a helpful answer? Upvote!

Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Fit_Cardiologist_
Fit_Cardiologist_ Author
User level: Level 1
8 points

APFS Encryption , newly created Volumes out of FileVault Encrypted Drive

Here we go with yet another publication, to understand the MacOS and because of the proper detailed documentation,


From the image below, Macintosh HD (renamed to MILTECHX) was encrypted with FIle Vault. Next , thanks to an extremely helpful gentleman's explanation, SCROOGE APFS Volume was created.


Help me understand :

  • File Vault has encrypted MILTECHX (image 2) and upon login I'm asked for my iCloud password, then, is the Volume/SCROOGE (APFS only) goes under the MILTECHX encryption?
  • if Volume/SCROOGE is left APFS only, not encrypted, does it mean it is going to be widely accessible for read/write, under RecoveryCD/tools of any sort (HyrenBootCD troubleshooting like tools, I know it does not apply to Apple, used it for descriptive purpose only)?
  • if I recreate SCROOGE with APFS Encrypted, it asks me to enter password and is this password going to be entered every single time I want to access this volume (while the machine is turned On), even if I login into the System ? With other words, the volume is being understood, by the System, as external to it (like having external HDD with BitLocker encryption to it)?




OS: MacOS 12, MBP: M1


I come from 24years of WindowsOS use.


OR, the encryption goes only for the 15.2GB MILTECHX only and neither the Data, VM, Preboot, SCROODGE, and 1 that is Not Mounted are left unencrypted ?


Structural explanation of the encryption process would be highly appreciated, because I can relate with how the things are working with Microsoft but here, here it seems a bit odd as a process.


BR,

F_C_

Posted on Apr 11, 2022 1:41 PM

Reply
Question marked as Best reply
User profile for user: Barney-15E
Barney-15E
User level: Level 10
112,914 points

Posted on Apr 11, 2022 8:09 PM

FileVault and encryption are not synonymous. FileVault is more about being able to decrypt and login with the same credentials. It will encrypt your startup drive, but the encryption is the same as Disk Utility. FileVault encrypts, but all encryption is not FileVault.


With a T2 or M1 Mac, the startup drive is always encrypted. If you don’t enable FileVault, the keys are stored in the Secure Enclave, so I can’t answer what I would imagine is the most important question.


When encrypted, you enter the password to decrypt it only once. It will remain “decrypted” until you unmount it.


With APFS, volumes can be encrypted separately.


There is conflicting info on what volumes are encrypted when you look at the info in diskutil vs Disk Utility.

View in context

Similar questions

6 replies
Question marked as Best reply
User profile for user: Barney-15E
Barney-15E
User level: Level 10
112,914 points

Apr 11, 2022 8:09 PM in response to Fit_Cardiologist_

FileVault and encryption are not synonymous. FileVault is more about being able to decrypt and login with the same credentials. It will encrypt your startup drive, but the encryption is the same as Disk Utility. FileVault encrypts, but all encryption is not FileVault.


With a T2 or M1 Mac, the startup drive is always encrypted. If you don’t enable FileVault, the keys are stored in the Secure Enclave, so I can’t answer what I would imagine is the most important question.


When encrypted, you enter the password to decrypt it only once. It will remain “decrypted” until you unmount it.


With APFS, volumes can be encrypted separately.


There is conflicting info on what volumes are encrypted when you look at the info in diskutil vs Disk Utility.

Reply
User profile for user: HWTech
HWTech
User level: Level 9
56,054 points

Apr 12, 2022 9:59 AM in response to Fit_Cardiologist_

With an older non-T2 Mac, I believe Filevault encrypts the entire Container on the boot drive. It looks like "SCROOGE" is part of the same Container as your macOS boot volumes so I believe "SCROOGE" would be encrypted. You can verify by booting into Recovery Mode, from a bootable macOS USB drive, or by putting this Mac into Target Disk Mode and connecting it to another Mac running the same or new version of macOS to see if the "SCROOGE" volume is visible or whether you have to unlock Filevault before "SCROOGE" becomes available. I don't know of anyone who has created extra APFS volumes in the first place much less someone who has also enabled Filevault with the extra APFS volume. This seems like the simplest test.


According to Apple enabling Filevault on a 2018+ Mac (T2 chip or M1 CPU) adds an extra layer of protection to the hardware encrypted data on the internal SSD by requiring a password. See this Apple article for details:

Encrypt Mac data with FileVault - Apple Support


Reply
User profile for user: Barney-15E
Barney-15E
User level: Level 10
112,914 points

Apr 12, 2022 9:48 PM in response to Fit_Cardiologist_

You know, if in 21st Century adding a password to an encrypted hard drive is a new thing, then we are doomed

You should stick to hearts as technology seems to be escaping your grasp. I'm not sure how you think the drive should be decrypted. There are certainly other ways to retrieve the keys, but almost everyone is capable of using a password.


You might be able to make something from this: Apple Platform Security - Apple Support.

Reply
User profile for user: Fit_Cardiologist_
Fit_Cardiologist_ Author
User level: Level 1
8 points

Apr 12, 2022 1:23 AM in response to Barney-15E

Thank you, Mr. Rubble! I hope, everything is alright in Bedrock :)


The lack of proper documentation really confused me. It's unfortunate that the manpages are not available online for easy reading. I honestly had no idea the drive was coming encrypted by default, which defers from WindowsOS, and I couldn't find information about that either.


Am I going to bring you headache if I ask for an use case example of ,

When encrypted, you enter the password to decrypt it only once. It will remain “decrypted” until you unmount it.


and what for are people using it for, because it seems, now, as one useless exercise to apply Encryption, which in fact comes out to be only a password protection of a volume (correct me if I got you wrong), to already pre-encrypted hard drive. May be, multiple users accessing the Volume in case we are talking about server like activity, where whomever has the password can access the Volume?


BR,

F_C_


Reply
User profile for user: Fit_Cardiologist_
Fit_Cardiologist_ Author
User level: Level 1
8 points

Apr 12, 2022 2:23 PM in response to HWTech

Hi, thank you for replying me back.


These articles are just so messed up, all of them, confirming nothing but leaving the door open to give the Support a call, 'press 3 for Jazz while you are waiting'.


I was through it before posting in the Community section and it had no value to my question. You know, if in 21st Century adding a password to an encrypted hard drive is a new thing, then we are doomed no matter they are introducing it like the next big 'Woow' thing they have done.


I was thinking about the same approach as you've suggested here - like the good old, old, days when learning Windows OS was still a thing.


Happy Holidays, Mr. HWTech :)

Reply

APFS Encryption , newly created Volumes out of FileVault Encrypted Drive

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up