APFS vs. File Vault

What I get from reading the Apple and Ars docs is that "FileVault" refers to one method in Sierra, and a totally different method in High Sierra, and each OS uses only its native method.

FV in Sierra involved, as a previous poster mentioned, full disk encryption at the OS level, layered on top of HFS+.

FV is now being used as the name (for continuity without confusion hahahaha) for the APFS native encryption, which is for the record not true full-disk encryption but rather an on-the-fly encryption of files AND filesystem metadata, only as they hit the disk, and not the entire volume. This saves some processing.

The point is, the user simply interacts with "FileVault" in the control panel, turns it on or off, and never has to know that the function is different between Sierra (filesystem encryption over HFS+) and High Sierra (file encryption embedded in the APFS filesystem along with the other cool improvements).

So, short answer "No, there is no redundancy between FileVault as presented in the High Sierra Control Panel and the HS native APFS encryption that you know exists but don't seem to be able to directly manipulate. Same hunk of cheese.
To the poster who clued me in to "diskutil apfs list", thanks much, I am slogging through a FV enable on HS that has completed 26% in one hour on a 500GB Macbook SSD.

Hello pkm881,

APFS and FileVault are not redundant. FileVault is nothing more than an encrypted boot volume + a little extra magic to boot from said encrypted volume. Whether you are using HFS+ or APFS doesn't matter, as long as the volume is encrypted. What truly makes it "FileVault" is that little extra magic that allows the system to boot.

APFS really doesn't have anything to do with it. It is just that APFS is a new filesystem and not all of the bugs are worked out yet. As far as FileVault and encryption goes, those bugs do seem to be worked out. If you had a Fusion drive setup, then things aren't quite done and you would still be running HFS+, regardless of FileVault.

APFS (Encrypted) is just encrypted APFS.

If your format your boot drive as APFS (Encrypted), and add a little firmware fairy dust, you can refer to it as FileVault.

Here is a helpful trick. The next time you want to use FileVault on a new machine or a new drive, use the following procedure:

1) Boot the machine from the recovery volume or some other boot volume

2) Erase the boot drive and format as "APFS (Encrypted)"

3) Install macOS

There is no 4th step. There are a couple of caveats:

1) This procedure will not securely erase any unencrypted content that was on the disk before you erased and reformatted it. This is not a problem on a new machine or a new drive since there will be nothing sensitive on it to encrypt. Even if you did have unencrypted content on the drive before, it would be extremely difficult to recover. I think it is plenty safe for anyone that doesn't work for a "three letter agency" or similar.

2) If you are setting up a new machine, any new accounts you add will be automatically setup to unlock the machine. If you migrate any accounts from Time Machine or another machine, you may have to go to System Preferences > Security > FileVault and add those local accounts to FileVault.

To reiterate, FileVault is just an encrypted boot volume + some firmware fairy dust. Apple does a good job of fairy dust management.

pkm881 wrote:

The question is now: Why should I leave File Vault (I use SSD) on? It may slow the machine and is redundant according to the answer. There's no plus on security, if it's redundant.

FileVault does not slow the machine. Why continue to use it? Bear in mind its first implementation didn't last long, since it had a glaring flaw that nullified its intended purpose.

There are two separate concerns at hand: security and encryption, and they are not interchangeable concepts. That's the reason a longer answer was required. FileVault's most attractive feature is that it makes a FV encrypted volume completely useless without its password. No one can do a thing with it until it's unlocked with its password. It is not readable by any platform. You can't even mount it. You can only erase it.

Do similar encryption security flaws exist in APFS? No one knows yet. Perhaps one day it will be superseded by APFS+ 😁

If these subjects interest you, then you should continue to use FV, as I have.

Edit to add: etresoft's response to leroydouglas's question is a good example. No FV needed. That's why it might be redundant for your needs, but might not be redundant in all cases.

Are there two encrypted layers now?

No

It's not a silly question at all. The answer is that FileVault will continue to work as it always has. There will be no difference to the way you use your Mac.

Hi

Upgrade form macOS Sierra to macOS High Sierra.

1. upgrade worked fine

2. upgrade asked me to modify my user password, it cannot be the iCloud one that I have been using for three yeas

3. after upgrade I must to insert two login, the local with the new password, the previous with the old

4. apparently this was related to FileVault

5. I disabled FileVault (18 h)

6. now I have to insert 1 login that is equal to the iCloud one

7. I had to reinsert a lot of password I had saved... uhm grr.. (solved, reinserted)

8. I had to restore the Apple Development certificates... uhm grr... (solved, recreated)

9. I updated a few app

10. Time Machine works fine

Now it works.

macOS 10.13 High Sierra: The Ars Technica review | Ars Technica

etresoft wrote:

Hello pkm881,

APFS and FileVault are not redundant.

Can you speak to APFS_encrypted and Filevault ?