Is APFS encryption turned on using FileVault?

My first Mac at work was purchased in 1988. I spent a long time dealing with secure configurations and encrypted laptops were a requirement (at least at one time). Apple has used APFS' encryption as a sales point, probably for government and enterprise users. I don't see any of this as being a heavy hand, I see it as leaving out important documentation on how to use it. Apple appears to have converted FileVault to APFS-encrypted. That's great but how do I easily encrypt a non-encrypted APFS volume? I can do it without destroying my data by using the command line but there has to be an easier process that allows users and sys admins the ability to set up systems without having to resort to specialized command lines, especially when the command line requires the use of a user's UUID and password. I don't know if Apple looks through these discussions but hopefully they will.

This is how I encrypted an external SSD. I didn't try and figure out what my normal user's UUID was.

$ diskutil apfs encryptVolume disk3s1 -user disk

Passphrase for the new "Disk" user (C24FB2EA-174D-4C66-A715-967EEB14972E):

Repeat passphrase:

Starting background encryption of the new "Disk" user on disk3s1

The new "Disk" user will be the only one who has initial access to disk3s1

The new APFS crypto user UUID will be C24FB2EA-174D-4C66-A715-967EEB14972E

Background encryption is ongoing; see "diskutil apfs list" to see progress

This is also how the Get Info results look for that drive. It specifically states it's APFS (Encrypted). Does yours look the same?

I know that. It was referenced in the support document I mentioned but it doesn't say whether the converted APFS container is using the old HFS+ style FileVault or if the FileVault encryption has been converted to APFS-encryption within a container. HFS and APFS are totally different beasts. All I'm looking for is an easily accessible switch/setting to turn encryption on after converting my filesystem to APFS.

If you've already done this, please run "diskutil apfs list" and tell me if the new APFS containers say they're encrypted.

Thank you. I took a chance and just turned on FileVault to see what it would do. As you say, it simply turns on encryption within APFS but also gives me the traditional Mac unlock when first powering on. I've used FileVault since the first version, especially at work, where we had to secure laptops when they'd be taken off-site. I am still hoping Apple will update the FileVault information for High Sierra as well as updating the FileVault system preference so it makes sense to everyone. Users should not have to guess about what it's going. When I checked diskutil apfs list, it only lists the root mount point (disk1s1) as being encrypted, the other three mount points (Preboot, Recovery, VM) are not encrypted. I know with APFS, everything shows up as containers so I'm not sure whether the root mount point actually encrypts everything else, including the Recovery partition. With FileVault under HFS+, it was considered full-disk encryption and that's the terminology we used to justify complete protection of data on laptops for our security plans. Until Apple comes out with a macOS High Sierra security white paper, the security staff won't know how to properly word their security plans to make use of the latest OS. Good thing is I don't have to worry about that anymore.

Did you upgrade with FileVault turned on? Were all of the container volumes listed as Encrypted?

Now the big question is whether I use FileVault to turn on encryption on an existing APFS drive. If it does, it would be nice if Apple mentioned this somewhere.