Better to encrypt documents or encrypt a container?

[Gnomac43]

Hello,

I have a doubt, or at least I'd like to hear an opinion from other people.
I noticed that encrypting documents is very handy (pages, numbers etc), it auto-fills the password and I can also use the fingerprint and face recognition, wonderful!!!
The nasty part is that I need to migrate all from MS Office to the iWork suite, that's a long job and critical stuff would fail to migrate, due to the complexity etc, but let's focus on something else for now.

What happens if things go wrong with such method?

1. Is it not easier and less prone to issues encrypting a single container and save the key somewhere? No password, just key. Btw, I can't use both, password and key, at least with the tool I'm using, which is probably a good thing, Amnesia happens at some point in life .
Plus, if things go wrong with one of my Apple devices, I can safely access that container from another safe machine (Linux etc).

2. In case of an attack, first the container is not always accessible unless unlocked (imagine my iPhone or MacBook hacked, or my iCloud account, an attacker wouldn't be able to understand which one is the container and what key to use, because it's not even on that cloud account and Spotlight on my MacBook is disabled, so no data indexed and no history preserved...

3. I can't encrypt the rest of the data, at least not in the way I want and not with one click, definitely it wouldn't support the face recognition or fingerprint... Not even by scripting I can reach an easy and reliable method for encryption of all the iCloud portion...

So, did I see it well or is there something that I missed?

 

[MacInWin]

What is the objective of this encryption?And what Mac, what version of macOS are you using for this task?

The reason for the question is that the Apple Silicon Macs encrypt the internal drive by default, and there is no performance penalty for that encryption. So you may not have to take any action to actually have an encrypted internal drive (and all of the containers/volumes on that drive).

 

[Rod]

Jake, I've read a little about this and frankly I'm a bit confused. This from Apple Platform Security Encryption and Data Protection overview
"iOS and iPadOS devices use a file encryption methodology called Data Protection, whereas the data on an Intel-based Mac is protected with a volume encryption technology called FileVault. A Mac with Apple silicon uses a hybrid model that supports Data Protection, with two caveats: The lowest protection level (Class D) isn’t supported, and the default level (Class C) uses a volume key and acts just like the FileVault on an Intel-based Mac."

So, why is FileVault still available in System Prefs > Security & Privacy on my M1 MBP? (It's turned off on mine of course). Is Data Protection just for Macintosh HD or both Volumes?

 

[Randy B. Singer]

Hello,

I have a doubt, or at least I'd like to hear an opinion from other people.
I noticed that encrypting documents is very handy (pages, numbers etc), it auto-fills the password and I can also use the fingerprint and face recognition, wonderful!!!
The nasty part is that I need to migrate all from MS Office to the iWork suite....

Yeah, if you are using Office, it makes no sense to migrate your work to iWork, which is likely to result in conversion errors, and also suddenly have you in a less capable app that you aren't as familiar with.

I'm in a profession where it is an absolute requirement that all of my client's files be kept encrypted. I thought about FileVault, and app encryption, and then settled on using:

Encrypto (free)
Encrypto | Encrypt your files before sending them to friends or coworkers

(Instantly encrypt and password protect your files or folders. Decrypt them with a double-click and enter the password. Not even the FBI can break this encryption. There is also a free version of this product for Windows, so encrypted files can be shared across platforms! Also works with your e-mail program.)

 

[MacInWin]

Jake, I've read a little about this and frankly I'm a bit confused. This from Apple Platform Security Encryption and Data Protection overview
"iOS and iPadOS devices use a file encryption methodology called Data Protection, whereas the data on an Intel-based Mac is protected with a volume encryption technology called FileVault. A Mac with Apple silicon uses a hybrid model that supports Data Protection, with two caveats: The lowest protection level (Class D) isn’t supported, and the default level (Class C) uses a volume key and acts just like the FileVault on an Intel-based Mac."

So, why is FileVault still available in System Prefs > Security & Privacy on my M1 MBP? (It's turned off on mine of course). Is Data Protection just for Macintosh HD or both Volumes?

With the advent of the T2 chip and Apple Silicon, FileVault changed. You can read Howard Oakley's explainer on it here:

Explainer: FileVault

On T2 and M1 Macs, FileVault provides robust protection of the Data volume on internal storage without any performance penalty.

eclecticlight.co

Basically, with at T2 chip and on Apple Silicon machines, the contents of the drive are encrypted by a Volume Encrpytion Key (VEK) generated by the system which is, in turn protected by a hardware key and an xART key. If the user also turns on FileVault in System preferences, an additional key is generated called a Key Encryption Key (KEK). No further encryption is actually done, it's just that now the user has a separate encryption key that is used to decrypt the drive, and there is now a process to use a recovery key in case the user password is lost or forgotten. That's why FileVault is still in System Preferences.

One side benefit of this approach is that now, if FV is turned on, to do a secure erase of the drive, all that has to happen is the VEK and xART be erased from the secure enclave, leaving the drive encrypted and inaccessible. No need to overwrite the drive, shortening its life.

For external disks, not all of that internal drive stuff is available, but you can use FV to encrypt an external drive, which will use a VEK and KEK in a manner similar to the internal drive.

If you do a search on "FileVault" at the Eclectic Light site, ( The Eclectic Light Company ) Howard has several excellent articles on the value and pitfalls of using FV, both on older Intel systems and on Apple Silicon, older OS versions and newer.

 

[Gnomac43]

What is the objective of this encryption?And what Mac, what version of macOS are you using for this task?

The reason for the question is that the Apple Silicon Macs encrypt the internal drive by default, and there is no performance penalty for that encryption. So you may not have to take any action to actually have an encrypted internal drive (and all of the containers/volumes on that drive).

The objective is to encrypt my cloud data, on top of the iCloud encryption. I left ON the option for Apple to access my data in a recovery process, which I don't know what exactly means, but it's good to recover sensitive files that they can't decrypt, I can only do it.

Jake, I've read a little about this and frankly I'm a bit confused. This from Apple Platform Security Encryption and Data Protection overview
"iOS and iPadOS devices use a file encryption methodology called Data Protection, whereas the data on an Intel-based Mac is protected with a volume encryption technology called FileVault. A Mac with Apple silicon uses a hybrid model that supports Data Protection, with two caveats: The lowest protection level (Class D) isn’t supported, and the default level (Class C) uses a volume key and acts just like the FileVault on an Intel-based Mac."

So, why is FileVault still available in System Prefs > Security & Privacy on my M1 MBP? (It's turned off on mine of course). Is Data Protection just for Macintosh HD or both Volumes?

I'm not concerned about these technicalities, I use Full Disk Encryption, so yes, it relies on that external chip (like TPM) to store the keys, plus my master key to unlock it.
(This is not what I wanted to discuss though, thanks anyway)

Yeah, if you are using Office, it makes no sense to migrate your work to iWork, which is likely to result in conversion errors, and also suddenly have you in a less capable app that you aren't as familiar with.

I'm in a profession where it is an absolute requirement that all of my client's files be kept encrypted. I thought about FileVault, and app encryption, and then settled on using:

Encrypto (free)
Encrypto | Encrypt your files before sending them to friends or coworkers

(Instantly encrypt and password protect your files or folders. Decrypt them with a double-click and enter the password. Not even the FBI can break this encryption. There is also a free version of this product for Windows, so encrypted files can be shared across platforms! Also works with your e-mail program.)

Thanks for the tip, but it's still not my concern.
Cutting MS Office would cut 50 pounds per year of expense, not much but quite a lot on the long run.
One thing is interesting there, the auto-sync with cloud, or multiple accounts, which makes the experience on another level, like iWork.
Otherwise, it doesn't auto-save files on iCloud, which sucks.

With the advent of the T2 chip and Apple Silicon, FileVault changed. You can read Howard Oakley's explainer on it here:

Explainer: FileVault

On T2 and M1 Macs, FileVault provides robust protection of the Data volume on internal storage without any performance penalty.

eclecticlight.co

Basically, with at T2 chip and on Apple Silicon machines, the contents of the drive are encrypted by a Volume Encrpytion Key (VEK) generated by the system which is, in turn protected by a hardware key and an xART key. If the user also turns on FileVault in System preferences, an additional key is generated called a Key Encryption Key (KEK). No further encryption is actually done, it's just that now the user has a separate encryption key that is used to decrypt the drive, and there is now a process to use a recovery key in case the user password is lost or forgotten. That's why FileVault is still in System Preferences.

One side benefit of this approach is that now, if FV is turned on, to do a secure erase of the drive, all that has to happen is the VEK and xART be erased from the secure enclave, leaving the drive encrypted and inaccessible. No need to overwrite the drive, shortening its life.

For external disks, not all of that internal drive stuff is available, but you can use FV to encrypt an external drive, which will use a VEK and KEK in a manner similar to the internal drive.

If you do a search on "FileVault" at the Eclectic Light site, ( The Eclectic Light Company ) Howard has several excellent articles on the value and pitfalls of using FV, both on older Intel systems and on Apple Silicon, older OS versions and newer.

I'm not concerned about these technicalities, I use Full Disk Encryption, so yes, it relies on that external chip (like TPM) to store the keys, plus my master key to unlock it.
Same is for the Keychain, the only one out there that can be considered safe.
(This is not what I wanted to discuss though, thanks anyway)