Filevault vs APFS encryption

mousy0815 wrote:

Been running some testing, and I just wanted to clarify the differences between FileVault and APFS encryption.

So I wiped my disk and chose APFS encrypted as my drive format. Set a password.

Set up a password for what here?

My main question is, are FileVault and APFS encryption the same? I feel like the documentation has been very unclear.

Do they offer the same type of encryption?

From what I've read, APFS encryption encrypts the filesystem while FileVault is a layer that sits on top of the filesystem. I would understand if Apple only lets you have both on, or both off, but curious as to if they are in fact the same thing, or just two things that you can't have separately.

You do not need to have FileVault option turned on.

The contemporary macOS/apfs encrypts all user data by default.. the macOS manages this encryption key, all you need is your admin/user psswd to proceed to log into your user account to have r/w access to this data.

Filevault is one more layer of security, it hands you the encryption key (via password protected) for the filevault lock for the drive:

Use FileVault to encrypt your Mac startup disk - Apple Support

Firmware password is an additional layer of security:

Set a firmware password on your Mac - Apple Support

Once you turn Filevault on / or off it has to fully encrypt before you can turn it off and it fully de-crpyts the entire drive—this can take some time.

You can see the Filevault status from the Terminal.app, copy and paste:

fdesetup status

I have never turned on FileVault or Firmware password in all the yeras using Mac—and never had an issue.

you can read more from outside source:

https://derflounder.wordpress.com/2019/07/03/managing-macos-mojaves-filevault-2-with-fdesetup/

mousy0815 wrote:

Been running some testing

What sort of testing?

One big problem here in the forums is people following random instructions on the internet, digging themselves very deeply into some crazy rabbit hole, and then asking us for very detailed descriptions of the chemical makeup of rabbit pellets. They get very angry when we say anything that does not pertain to rabbit pellets.

I just wanted to clarify the differences between FileVault and APFS encryption.

None.

So I wiped my disk

Why? What "disk"? Please specify.

I then installed macOS Ventura. During the setup process, after logging into iCloud, I unchecked the FileVault option.

Again, why?

When I look under Disk Utility now, it says the the disk is just APFS, not encrypted.

Because you had just turned off FileVault.

If I go to /System/Volumes/ and then right-click on 'Macintosh HD', I can select 'Encrypt,' which will prompt me to enter a password. I then get a pop-up saying "This disk has macOS users. Please select it as the startup disk, restart, and enable Filevault."

The operating system has detected your rabbit-hole digging and is kindly suggesting that you simply turn on FileVault.

My main question is, are FileVault and APFS encryption the same? I feel like the documentation has been very unclear.

What documentation are you referring to?

This one?

Or this?

Maybe this one.

What about this one?

Do they offer the same type of encryption?

Yes.

From what I've read, APFS encryption encrypts the filesystem while FileVault is a layer that sits on top of the filesystem.

Kind of.

I would understand if Apple only lets you have both on, or both off, but curious as to if they are in fact the same thing, or just two things that you can't have separately.

Well, did you try to use Disk Utility to turn on just APFS Encryption? What happened when you did that? Didn't the operating system refuse, essentially telling that you can only have both on or both off?

Related, can I have my drive be APFS encrypted without FileVault being turned on?

Define "my drive". So you mean an external hard drive? And external hard drive that you've setup as a boot drive because the Apple default boot disk is just too fast? A flash drive? A network drive?

There is a chicken and egg problem with encrypted drives. If the drive is encrypted, then it can't boot. The system has to read data on the disk. But the decryption key is stored on the disk. But the disk is encrypted. What to do? Use FileVault. FileVault is a system to boot from an encrypted drive. That's it. End of story.

mousy0815 wrote:

I'm trying to understand the technical differences between the two, and if I can have one without the other. Your response does not answer this.

yes you can have one but not the other. The Other is FileVault.

you have to have APFS. It is encrypted by default yes— you will never see it; the macOS handles this behind the scenes, no user interaction required.

With no File vault enabled you can see log into your user account, from Terminal copy and paste:

sudo fdesetup list

you see the encryption key associated with your user account. hidden, no use interaction, no writing it down—managed by the macOS when you boot up and log into your user account w/ your psswd.

When you Boot up with FileVault you have to get past this screen first, then log in to your user account.

more external ref: https://www.youtube.com/watch?v=IkAk3A0-DKs

to drill down further on your issue—

Call Customer Support  (800) MY–APPLE (800–692–7753)

or on line  https://getsupport.apple.com/

mousy0815 wrote:

Just for fun you can read more here:

Data Protection overview

https://support.apple.com/guide/security/data-protection-overview-secf6276da8a/1/web/1

Secure Enclave

https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web