System disk always "encrypted" now? Best practices for backup, recovery?

Daniel P. B. Smith wrote:

I think I understand that Sonoma if not earlier, the data on the internal system drive is always encrypted even if FileVault has not been activated. In a situation where the Mac hardware fails but the system disk is undamaged, what are the implications for recovery?

Does it mean that recovery is possible, but only if the drive can be installed in a working recent Mac, and only if you know the password for the 501 account?

Are Time Machine backups to an external drive unencrypted, and therefore readable/recoverable on another Mac?

yes you need a password.

encryption goes way back now—

If you have a model of Mac with an Apple T2 chip or SoC M1/M2/m3, the data on your drive is already encrypted automatically.

Fundamentally your user/admin password unlocks the decryption all behind the scenes.

Additional layers if you evoked:

Filevault Protect data on your Mac with FileVault

Firmware Set a firmware password on your Mac

Time machine backups can be encrypted as well

Keep your Time Machine backup disk for Mac secure

I guess if you have government, trade secrets, or the nuclear codes you could go for it all.

I see nothing but issue here with people losing the encryption keys, passwords, Recovery keys, etc effectively locking themselves out.

At some level you can ,with a proof of purchase receipt —physically visit an Apple store for some instances but not all.

For me personally I use nothing but the admin password to protect my Mac and its content and never had an issue, or felt like it was jeopardizing any passwords/data/records/bank/ ad infinitum

Leroy's answer makes total sense.

To that I can simply add some examples I have experienced of "recovery." One with a work MacBook Pro T2 chip, one with a MacBook Pro T2 chip personal Mac. The work Mac has FileVault on top of the normal T2 encryption, the personal Mac does not have FileVault. Both were backed up using Time Machine and also SuperDuper ("clone" type of backup), and each had everything transferred to new Macs from the Time Machine backups using Apple's standard Migration Assistant tool. Basically no issues with either situation, you do need to remember the password(s) that are needed to access the encrypted backups. These were not true "recoveries" because the original Macs were still working fine, but the migration process from the backup is exactly what one would do with a catastrophic hardware failure in the original Mac.

Without the password, I think you are out of business.

You asked about "recent Macs," keep in mind a Time Machine backup made under Sonoma can only be used to migrate to another Mac using Sonoma (or later OS than the backup was made from). So the target Mac need not be that recent but at least recent enough to run an OS that is equal to or later than the original Mac's OS the backup was made from.

I don't use FileVault or a firmware password, personally (like Leroy), but our work computers mandate FileVault. Adding these extra layers of protection is fine but with the added protection comes additional failure modes.

I believe that an unencrypted Time Machine backup can indeed have its files copied to other computers by someone without the original password. Maybe not using the Time Machine interface, but through other fairly straightforward methods.