APFS vs. File Vault

I'll take the John Roberts-inspired liberty of rewriting your question, and then answering that rewritten question 😝 You want to know if using both APFS and FileVault is redundant, and the short answer is yes.

The longer answer is as follows: Apple wants macOS upgrades to be as hassle-free as possible so that their users are enjoying the device security they're accustomed to with their iOS devices and that they have come to expect given Apple's many public pronouncements on that subject. That means if their customers have been using FV, Apple doesn't want them to scream and howl some aspect of security has been diminished if they were to suddenly take FV away, replace it with APFS, and say "don't worry about it, we got this". Apple's decision is complicated by the continued prevalence of traditional hard disk drives, and at present APFS is not being deployed to those systems. It's also complicated by the fact institutional FV deployments are common, and require administrator control and recovery from user ineptitude. If there is anything resistant to change, it's corporate IT departments.

It's not reasonable to expect the vast majority of Mac users to know or even care if they're using hard disks or flash memory or some combination of the two. That's the whole point of APFS. They shouldn't know or care how their information is stored. They shouldn't even care what a "file" is or where it resides. They just want their stuff to work, and their information to be secure. Those are reasonable and achievable goals.

I can see Apple taking one of two courses: either they will eventually implement APFS for those devices, or they will let hard disk drives wither on the vine to suffer the demise they so richly deserve. I don't know which will happen first, but they are certain to happen. Either way, if you're using FV for internal / external / Time Machine, you can continue to use it without interruption to your current workflow. Same goes for APFS. If your Mac can use it, it will (and you can't refuse). If your external devices can use it, you can.

I suppose most people don't know, others won't care, and that's the idea.

If you want a broad overview of what Apple does, look at iOS. Where iOS goes, macOS is sure to follow. FileVault doesn't exist for iOS. Draw your own conclusions.

Hello pkm881,

APFS and FileVault are not redundant. FileVault is nothing more than an encrypted boot volume + a little extra magic to boot from said encrypted volume. Whether you are using HFS+ or APFS doesn't matter, as long as the volume is encrypted. What truly makes it "FileVault" is that little extra magic that allows the system to boot.

APFS really doesn't have anything to do with it. It is just that APFS is a new filesystem and not all of the bugs are worked out yet. As far as FileVault and encryption goes, those bugs do seem to be worked out. If you had a Fusion drive setup, then things aren't quite done and you would still be running HFS+, regardless of FileVault.

APFS (Encrypted) is just encrypted APFS.

If your format your boot drive as APFS (Encrypted), and add a little firmware fairy dust, you can refer to it as FileVault.

Here is a helpful trick. The next time you want to use FileVault on a new machine or a new drive, use the following procedure:

1) Boot the machine from the recovery volume or some other boot volume

2) Erase the boot drive and format as "APFS (Encrypted)"

3) Install macOS

There is no 4th step. There are a couple of caveats:

1) This procedure will not securely erase any unencrypted content that was on the disk before you erased and reformatted it. This is not a problem on a new machine or a new drive since there will be nothing sensitive on it to encrypt. Even if you did have unencrypted content on the drive before, it would be extremely difficult to recover. I think it is plenty safe for anyone that doesn't work for a "three letter agency" or similar.

2) If you are setting up a new machine, any new accounts you add will be automatically setup to unlock the machine. If you migrate any accounts from Time Machine or another machine, you may have to go to System Preferences > Security > FileVault and add those local accounts to FileVault.

To reiterate, FileVault is just an encrypted boot volume + some firmware fairy dust. Apple does a good job of fairy dust management.

pkm881 wrote:

The question is now: Why should I leave File Vault (I use SSD) on? It may slow the machine and is redundant according to the answer. There's no plus on security, if it's redundant.

FileVault does not slow the machine. Why continue to use it? Bear in mind its first implementation didn't last long, since it had a glaring flaw that nullified its intended purpose.

There are two separate concerns at hand: security and encryption, and they are not interchangeable concepts. That's the reason a longer answer was required. FileVault's most attractive feature is that it makes a FV encrypted volume completely useless without its password. No one can do a thing with it until it's unlocked with its password. It is not readable by any platform. You can't even mount it. You can only erase it.

Do similar encryption security flaws exist in APFS? No one knows yet. Perhaps one day it will be superseded by APFS+ 😁

If these subjects interest you, then you should continue to use FV, as I have.

Edit to add: etresoft's response to leroydouglas's question is a good example. No FV needed. That's why it might be redundant for your needs, but might not be redundant in all cases.

Hi

Upgrade form macOS Sierra to macOS High Sierra.

1. upgrade worked fine

2. upgrade asked me to modify my user password, it cannot be the iCloud one that I have been using for three yeas

3. after upgrade I must to insert two login, the local with the new password, the previous with the old

4. apparently this was related to FileVault

5. I disabled FileVault (18 h)

6. now I have to insert 1 login that is equal to the iCloud one

7. I had to reinsert a lot of password I had saved... uhm grr.. (solved, reinserted)

8. I had to restore the Apple Development certificates... uhm grr... (solved, recreated)

9. I updated a few app

10. Time Machine works fine

Now it works.

What I get from reading the Apple and Ars docs is that "FileVault" refers to one method in Sierra, and a totally different method in High Sierra, and each OS uses only its native method.

FV in Sierra involved, as a previous poster mentioned, full disk encryption at the OS level, layered on top of HFS+.

FV is now being used as the name (for continuity without confusion hahahaha) for the APFS native encryption, which is for the record not true full-disk encryption but rather an on-the-fly encryption of files AND filesystem metadata, only as they hit the disk, and not the entire volume. This saves some processing.

The point is, the user simply interacts with "FileVault" in the control panel, turns it on or off, and never has to know that the function is different between Sierra (filesystem encryption over HFS+) and High Sierra (file encryption embedded in the APFS filesystem along with the other cool improvements).

So, short answer "No, there is no redundancy between FileVault as presented in the High Sierra Control Panel and the HS native APFS encryption that you know exists but don't seem to be able to directly manipulate. Same hunk of cheese.
To the poster who clued me in to "diskutil apfs list", thanks much, I am slogging through a FV enable on HS that has completed 26% in one hour on a 500GB Macbook SSD.

Hello <user whose profile name will be changed after I report it>,

First of all, Apple has been heavily pushing High Sierra and using the APFS file system as part of that. That is a lot of marketing. Most of it simply doesn't exist. Many of the APFS features that Apple touts are merely "future capabilities" that would never have been possible with the old file system, HFS+. This leads to a lot of confusion because then everyone wants to know the details, but there will never be any details forthcoming. Apple doesn't do details. Those marketing materials are all you will ever see. It would be great if Apple started getting back to publishing in-depth tech notes like they did years ago, but I just don't see that happening.

The really bad part about all of this is that other people are rushing to fill the information gap - with misinformation. I'm glad you mentioned that Ars doc. Now I see why people are getting confused. Ars Technica is flat-out wrong about APFS and encryption.

FileVault is a system that allows you to boot macOS from an encrypted volume. That's it. All it does is allow you to boot by entering your account password. The specific types of underlying filesystem or encryption used are irrelevant. APFS provides lots of options for fancy new filesystem operations, including encryption operations. But the specific type of encryption used for FileVault on APFS is full-disk encryption.

etresoft wrote:

Hello pkm881,

APFS and FileVault are not redundant.

Can you speak to APFS_encrypted and Filevault ?

Are there two encrypted layers now?

No

It's not a silly question at all. The answer is that FileVault will continue to work as it always has. There will be no difference to the way you use your Mac.