Forums
New posts
Articles
Product Reviews
Policies
FAQ
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Menu
Log in
Register
Install the app
Install
Forums
Apple Computing Products:
macOS - Operating System
Better to encrypt documents or encrypt a container?
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="MacInWin" data-source="post: 1918750" data-attributes="member: 396914"><p>With the advent of the T2 chip and Apple Silicon, FileVault changed. You can read Howard Oakley's explainer on it here:</p><p></p><p>[URL unfurl="true"]https://eclecticlight.co/2022/04/23/explainer-filevault/[/URL]</p><p></p><p>Basically, with at T2 chip and on Apple Silicon machines, the contents of the drive are encrypted by a Volume Encrpytion Key (VEK) generated by the system which is, in turn protected by a hardware key and an xART key. If the user also turns on FileVault in System preferences, an additional key is generated called a Key Encryption Key (KEK). No further encryption is actually done, it's just that now the user has a separate encryption key that is used to decrypt the drive, and there is now a process to use a recovery key in case the user password is lost or forgotten. That's why FileVault is still in System Preferences.</p><p></p><p>One side benefit of this approach is that now, if FV is turned on, to do a secure erase of the drive, all that has to happen is the VEK and xART be erased from the secure enclave, leaving the drive encrypted and inaccessible. No need to overwrite the drive, shortening its life. </p><p></p><p>For external disks, not all of that internal drive stuff is available, but you can use FV to encrypt an external drive, which will use a VEK and KEK in a manner similar to the internal drive. </p><p></p><p>If you do a search on "FileVault" at the Eclectic Light site, ( <a href="https://eclecticlight.co/" target="_blank">The Eclectic Light Company</a> ) Howard has several excellent articles on the value and pitfalls of using FV, both on older Intel systems and on Apple Silicon, older OS versions and newer.</p></blockquote><p></p>
[QUOTE="MacInWin, post: 1918750, member: 396914"] With the advent of the T2 chip and Apple Silicon, FileVault changed. You can read Howard Oakley's explainer on it here: [URL unfurl="true"]https://eclecticlight.co/2022/04/23/explainer-filevault/[/URL] Basically, with at T2 chip and on Apple Silicon machines, the contents of the drive are encrypted by a Volume Encrpytion Key (VEK) generated by the system which is, in turn protected by a hardware key and an xART key. If the user also turns on FileVault in System preferences, an additional key is generated called a Key Encryption Key (KEK). No further encryption is actually done, it's just that now the user has a separate encryption key that is used to decrypt the drive, and there is now a process to use a recovery key in case the user password is lost or forgotten. That's why FileVault is still in System Preferences. One side benefit of this approach is that now, if FV is turned on, to do a secure erase of the drive, all that has to happen is the VEK and xART be erased from the secure enclave, leaving the drive encrypted and inaccessible. No need to overwrite the drive, shortening its life. For external disks, not all of that internal drive stuff is available, but you can use FV to encrypt an external drive, which will use a VEK and KEK in a manner similar to the internal drive. If you do a search on "FileVault" at the Eclectic Light site, ( [URL="https://eclecticlight.co/"]The Eclectic Light Company[/URL] ) Howard has several excellent articles on the value and pitfalls of using FV, both on older Intel systems and on Apple Silicon, older OS versions and newer. [/QUOTE]
Verification
Name this item 🌈
Post reply
Forums
Apple Computing Products:
macOS - Operating System
Better to encrypt documents or encrypt a container?
Top
