Still not sure about APFS (encrypted) vs File Vault

From reading several articles and posts on this subject for myself, there is still a large lack of clarity on this.

However, 'APFS (encrypted)' format will actually encrypt the files on your drive to a certain extent, which will afford that encryption regardless of if you turn FileVault on or off.

On the flip side, if you choose to format the drive without encryption as 'APFS' and at some point turn FileVault off your actual filesystem may become more vulnerable. From how it is explained in a few places, FileVault does not actually encrypt any files but merely adds and encryption layer on top of or in front of your filesystem acting as a barrier. APFS encryption happens within the filesystem to the actual files, as opposed to a separate layer guarding those files.

The description from the MacWorld article below was the clearest explanation I found, which mirrors the bits and pieces that other articles explained.

I hope this helps!

"Apple says encryption is built into APFS. Can I turn FileVault off?

No. Apple tries to simplify security explanations, and I fear the way it has marketed APFS may confuse people, since a few readers have already asked this. With HFS+, the long-running previous format, encryption was applied as a layer external to the format. This required more intermediation between the operating system and the underlying files when FileVault was enabled.

With APFS, encryption is an inherent property that can be turned on and negotiated at the filesystem level. That should make it less likely that things could go wrong, and should be more efficient. As a FileVault user, don’t disable the feature, but you shouldn’t notice any differences in everyday use."

https://www.macworld.com/article/3230498/storage/apple-file-system-apfs-faq.html

I have my APFS volume encrypted using Filevault. It is a background process and best left overnight so that other processes do not stop it running. I tried erasing the disk and encrypting during the reformatting, as you suggest, but it did not have a user keychain in which to hold the encryption key and this meant I had to enter it at each startup, prior to the normal logon. At least the slow encryption you are doing, results in an icloud keychain entry, if you have that enabled, though I think I heard there is a way to do this later, using Carbon Copy Cloner.

I don't think you need worry about FileVault v APFS encryption, as the High Sierra Disk Utility and Preferences Security settings sort this for you. Here's an article about it which might help.

https://www.macworld.com/article/3230498/storage/apple-file-system-apfs-faq.html

Hello Iain,

FileVault confuses lots of people. The reason it takes so long to encrypt your drive when you turn on FileVault is because it is also encrypting free space. As you discovered, you can just format the drive as encrypted and that is instantaneous. The only problem with this approach is that if this drive was used before you encrypted it, then it will still contain unencrypted data. It is possible, although difficult, to extract the unencrypted, deleted files. Personally, I’m not worried about someone stealing my machine and going through that kind of effort. I always use your new procedure. Plus, I now do it right away so there is no deleted data to even worry about.

However, you can still enjoy the benefits of FileVault. Just go to System Preferences > Security & Privacy > Filevault and click the button to allow your user account to unlock the disk. This feature is all there is to FileVault. The encryption is just regular encryption. You can engage FileVault no matter how you encrypted the drive.

FileVault is magic fairy dust applied on top of encryption to allow you to decrypt and login using the single username/password.

Disk encryption is essentially separate from the FileVault magic. The disk is encrypted however it is encrypted and the magic single logon/decrypt username/password is layered over the top.

If you have FileVault enabled and erase/format the drive, yes, FileVault will be disabled.

If you encrypt a startup volume (regardless of the format), then enable FileVault, the magic fairy dust will be applied to allow you to decrypt the drive and login using a single username/password.

The information on an encrypted drive, no matter how done, will not be accessible without the decryption username/password. However, if you have stored data on an unencrypted drive, and then encrypt it, there may be some data that is accessible without a password. For instance, pieces and parts of data that are on read-only parts of the disk (bad sectors that are still readable) will not be encrypted. It is always best to encrypt a drive before use.

enough I get asked for the disk password on startup and then my login password thereafter. I haven't quite got the energy to see what happens if I enable file vault as I don't mind having to use the two passwords but I hope that if I did do it that it wouldn't take the 2-3 days to enable file vault that it took encrypting an 'ordinary' APFS drive.

Nothing will be encrypted again. As I stated, the encryption is the same no matter which method you use.

Enabling FileVault will merely ask which users are allowed to decrypt the drive and allow you to set a recovery key.

Is APFS fully supported yet? – The Eclectic Light Company

Can APFS be used with Time Machine, Boot Camp, and File Vault?

There is one FileVault that works both with HFS+ and APFS. With APFS the disk is encrypted just as you can do with HFS+.

However, if I use APFS (encrypted) AND FV it would suggest that FV will put an encryption 'screen' between an intruder and my already encrypted files and that seems redundant.

No. FV just makes it possible to decrypt the hard drive and logon in one username/password entry. It doesn't add any more encryption.

Will I need two passwords to logon?

Yes. You must first decrypt the disk, then log into your account. FV combines the two processes.

5 No (unless using APFS (encrypted) will require both a decryption password and a logon password)

Only if you don't enable FileVault after encrypting with APFS. Nothing will change about the encryption.