My SSD internal has two partitions (they are both formatted APFS Encrypted). One for the OS and the other one for Data. Does FileVault 2 encrypt both partitions or only the partition with the OS? If it does not encrypt the Data partition, is there any way to tell FileVault2 to encrypt both the OS partition and the Data partition?
My OS is 10.13.3 on a MacBookPro Mid 2015. Thanks for any help.
MacBook Pro, macOS High Sierra (10.13.2)
Hello,
You can encrypt APFS volumes (and partitions that formatted as Mac OS Extended (Journaled)) by mounting the volume or partition, then going to the Finder. Right-click (or hold down Control as you click) on the volume or partition, then choose Encrypt. You'll be prompted to create a password that will be used to encrypt the volume or partition. Be warned that once you start the encryption (or decryption) process, it cannot be stopped.
About APFS:
When you format a partition as APFS, what happens is that the newly-formatted partition is transformed into an APFS container with a single APFS volume inside. An APFS container, like a partition, is rigid in size; it cannot automatically resize itself as it needs. However, the APFS volumes inside the container can resize themselves as they need. The total amount of space consumed by the volumes in an APFS container cannot exceed the size of the container itself. Most MacBooks are formatted as a single APFS container (partition) that takes up the entire space of the SSD. Inside this container, macOS High Sierra creates four volumes that it uses:
Preboot: Used to store FileVault unlock information and login windows for all startup disks in the container.
Macintosh HD: Your startup disk. This volume may be named differently.
Recovery: Contains Recovery Mode for all startup disks in the container.
VM: Used to store sleep image files.
When you created a second area on your SSD for your sensitive data, there's two ways you could have done this. You could have created a new APFS volume that would be added to your currently existing container, or you could have literally partitioned your SSD so that two APFS containers exist: one with your startup disk in it and one containing the volume with sensitive files in it. I recommend simply creating a new APFS volume within the already-existing container, since APFS encryption applies to individual volumes and not to entire containers. (Even if you create a new APFS container and format it as Encrypted, that will only apply to the first volume in the container.) In addition, the sensitive data volume could grow and shrink as it needs along with your startup volume, allowing (almost) the entire space of your SSD to be available to either volume.
Hope this helps!
Hello,
You can encrypt APFS volumes (and partitions that formatted as Mac OS Extended (Journaled)) by mounting the volume or partition, then going to the Finder. Right-click (or hold down Control as you click) on the volume or partition, then choose Encrypt. You'll be prompted to create a password that will be used to encrypt the volume or partition. Be warned that once you start the encryption (or decryption) process, it cannot be stopped.
About APFS:
When you format a partition as APFS, what happens is that the newly-formatted partition is transformed into an APFS container with a single APFS volume inside. An APFS container, like a partition, is rigid in size; it cannot automatically resize itself as it needs. However, the APFS volumes inside the container can resize themselves as they need. The total amount of space consumed by the volumes in an APFS container cannot exceed the size of the container itself. Most MacBooks are formatted as a single APFS container (partition) that takes up the entire space of the SSD. Inside this container, macOS High Sierra creates four volumes that it uses:
Preboot: Used to store FileVault unlock information and login windows for all startup disks in the container.
Macintosh HD: Your startup disk. This volume may be named differently.
Recovery: Contains Recovery Mode for all startup disks in the container.
VM: Used to store sleep image files.
When you created a second area on your SSD for your sensitive data, there's two ways you could have done this. You could have created a new APFS volume that would be added to your currently existing container, or you could have literally partitioned your SSD so that two APFS containers exist: one with your startup disk in it and one containing the volume with sensitive files in it. I recommend simply creating a new APFS volume within the already-existing container, since APFS encryption applies to individual volumes and not to entire containers. (Even if you create a new APFS container and format it as Encrypted, that will only apply to the first volume in the container.) In addition, the sensitive data volume could grow and shrink as it needs along with your startup volume, allowing (almost) the entire space of your SSD to be available to either volume.
Hope this helps!
FileVault is just a little magic that allows you to decrypt and log into an encrypted volume. If you encrypt both containers prior to enabling FileVault, all that will happen is that FileVault will enable login on decrypt. It won't change anything about the encryption.
FileVault is "whole-disk" encryption. I don't think it encrypts by partition, but I couldn't find any wording in the Apple articles I found to confirm that.
Hello mancinrob22,
If you have already encrypted both partitions, then there is nothing else you need to do. FileVault is just a means to unlock your boot disk so you can startup, and to do so with your login password so that you don't have to enter two different passwords to login after booting.
Having the data partition encrypted can be a little tricky. This does not use FileVault. Your data partition will not be available until after you login and your Keychain is available to automatically unlock the disk. You can't redirect any system files, using symbolic links, to the data volume. This includes user home directories. They must always stay on the boot disk. But inside your home directory, you could have symbolic links to the data volume.
Thank you for all the suggestions. Let me further clarify...
After receiving your replies, I specifically checked the "Encryption" part of the APFS Encrypted spec. I assume this was chosen automatically by High Sierra when it mounted on my internal SSD in the First partition (I don't remember choosing "Encrypted"). However, even though the Second partition (the Data partition) is formatted as an APFS, it does not say it is encrypted. To further prove this, I tested a different set up. My internal SSD actually has three partitions. I did not mention this before because I did not want to complicate the diagnosis. The third partition also has MacOS High Sierra, but nothing else. This partition is also formatted as APFS, but not encrypted. I restarted the MBP using this Third partition and it opened, as usual, asking for the password "after" MacOS was mounted, not before as FileVault 2 does. The second partition, the Data partition was already mounted on the desktop when it appeared. It did ask me for a password to open the First partition which contained MacOS high Sierra and all of the programs and accounts that I usually use and was the StartUp Disk partition when I chose to turn on FileVault 2. From this test, I understood that, the First partition was indeed protected by FileVault 2, but none of the other two partitions were protected. So, the obvious question would be: is there a way to have FileVault 2 encrypt and protect my Second (Data) partition? Or should I reformat the Second partition to APFS Encrypted?
On that same line of thought, the reason for choosing FileVault 2 was to protect the internal SSD from prying eyes no matter if the SSD was removed from the MBP and installed somewhere else. If they do not have the password, they would not be able to open the drive. The question would then be: by formatting a drive with APSF Encrypted, do I protect the partition(s) from any kind of intrusion both while mounted into my MBP or outside, or is the partition(s) simply protected by the MBP password when installed inside the MBP but when removed from it and installed on another location it would open? I hope I was able to explain myself.
Thank you very much, again, for your thoughts and help.
APFS Encrypted just like HFS+ Encrypted encrypts the entire drive. You do not need FileVault except to decrypt the drive or re-encrypt it.
FileVault and partitions
