FileVault Encryption for Mac Computers (macOS)

~~Original source:~~ ~~https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/1/web/1~~

Mac computers ~~offer~~include FileVault, a built-in encryption ~~capability,~~system tothat ~~secure~~secures all data at ~~rest.~~rest ~~FileVault uses the~~using AES-XTS ~~data~~encryption.

~~encryption~~

How algorithmIt toWorks

~~protect~~

On ~~full~~Apple ~~volumes on internal~~Silicon and ~~removable~~T2 ~~storage devices.~~Macs:

FileVault ~~on a Mac with Apple silicon is implemented using~~uses Data Protection Class C with a volume ~~key.~~key

Encryption ~~a Mac with Apple silicon and a Mac with an Apple T2 Security Chip, encrypted internal storage devices directly connected to~~leverages the Secure Enclave ~~leverage its hardware security capabilities as well as that of the~~and AES ~~engine.~~engine ~~After~~hardware

User ~~user~~credentials ~~turns~~required onat boot after enabling FileVault

Important: On older Macs (pre-T2), non-original internal storage, or external drives: Files created before enabling FileVault ~~on a Mac, their credentials are required during the boot process.~~

Note: For Mac computers (1) prior to those with a T2 chip, or (2) with internal storage that didn’t originally ship with the Mac, or (3) with attached external storage: After FileVault is turned on, all existing files and any further data written are encrypted. Data that was added and then deleted before turning on FileVault isn’aren't encrypted and may be recoverable with forensic ~~data recovery~~ tools.

Internal storageStorage withSecurity

FileVault Enabled

When FileVault ~~turned~~is on

~~Without valid login credentials or a cryptographic recovery key, the internal APFS~~on, volumes remain encrypted ~~and are protected from unauthorized access~~ even if the physical ~~storage device~~drive is ~~removed~~removed. ~~and~~Without ~~connected~~valid tocredentials ~~another~~or ~~computer.~~a Inrecovery ~~macOS 10.15, this includes both the system volume and~~key, the data ~~volume.~~is ~~Starting~~inaccessible.

Encryption covers:

macOS ~~11,~~10.15: ~~the~~Both system and data volumes

macOS 11+: Data volume (system volume is protected by ~~the~~ signed system volume ~~(SSV)~~feature)

~~feature,~~

~~but~~

Key ~~the~~Management ~~data~~Apple ~~volume~~Silicon ~~remains~~and ~~protected~~T2 byMacs ~~encryption. Internal volume encryption on~~use a ~~Mac~~hierarchical ~~with~~key ~~Apple~~system silicon as well as those with the T2 chip is implemented by constructing and managing a hierarchy of keys, and builds on the hardware encryption technologies built into the chip. This hierarchy of keys is designed to simultaneously achieve four goals:that:

~~Require~~

~~the~~

Requires ~~user’s~~user password for decryption

~~Protect~~

Protects ~~the system from a~~against brute-force ~~attack~~attacks ~~directly against storage media~~on removed ~~from~~storage

~~Mac~~

Enables ~~Provide a swift and~~instant secure ~~method for~~data wiping

~~content via deletion of necessary cryptographic material Enable users to change their~~

Allows password ~~(and in turn the cryptographic keys used to protect their files)~~changes without ~~requiring~~full reencryption

~~of the entire volume~~

~~On a Mac with Apple silicon and those with the T2 chip, all FileVault~~All key ~~handling~~operations ~~occurs~~occur inwithin the Secure ~~Enclave;~~ Enclave—encryption keys ~~are~~ never ~~directly exposed to~~reach the ~~Intel~~ CPU. ~~All~~Each APFS ~~volumes~~volume ~~are created with~~has a volume encryption key by(VEK) ~~default.~~that ~~Volume~~encrypts contents and ~~metadata~~metadata. ~~contents~~The ~~are encrypted with this volume encryption key, which~~VEK is wrapped ~~with~~by a key encryption key (KEK)., ~~The KEK~~which is protected by ~~a combination of~~both the ~~user’s~~user password and hardware ~~UID~~UID.

~~when~~

FileVault is turned on.
Disabled

~~Internal~~Even ~~storage~~without ~~with FileVault turned off~~

~~If FileVault isn’t turned on in a Mac with~~FileVault, Apple ~~silicon~~Silicon ~~or a Mac with the~~and T2 ~~chip during the initial Setup Assistant process, the volume is~~Macs still ~~encrypted~~encrypt volumes—but the ~~volume encryption key~~VEK is protected only by the hardware ~~UID~~UID. ~~in the Secure Enclave.~~

IfEnabling FileVault later is ~~turned~~instant ~~on later—a process that's immediate because the~~ (data ~~has~~ already ~~been~~encrypted) ~~encrypted—~~and adds an anti-replay mechanism ~~helps~~to prevent the old hardware-only key ~~(based on hardware UID only)~~ from being ~~used~~used.

Secure decrypt the volume. The volume is then protected by a combination of the user password with the hardware UID as previously described.
Deletion

Deleting ~~FileVault volumes~~

~~When deleting~~ a ~~volume, its~~ volume ~~encryption key is securely deleted by~~triggers the Secure ~~Enclave.~~Enclave ~~This~~to ~~helps~~securely ~~prevent~~erase its VEK, preventing future ~~access~~access. ~~with this key even by the Secure Enclave. In addition,~~Additionally, all ~~volume encryption keys~~VEKs are wrapped with a media key. ~~The media key doesn’t provide additional confidentiality of data; instead, it’s designed to enable swift and secure deletion of data because without it decryption is impossible.~~

~~On a Mac with Apple silicon and a Mac with the T2 chip, the media key is guaranteed to be erased by the Secure Enclave supported technology—for example by remote MDM commands.~~ Erasing the media key in(via ~~this~~MDM ~~manner~~commands, ~~renders~~for example) makes the volume cryptographically inaccessible.

External Storage

Removable ~~storage~~drives ~~devices~~

~~Encryption of removable storage devices doesn’~~don't ~~utilize the security capabilities of the~~use Secure ~~Enclave,~~Enclave ~~and~~capabilities—they're ~~its encryption is performed in~~encrypted the same ~~manner~~way as anIntel ~~Intel-based Mac~~Macs without ~~the~~ T2 ~~chip.~~chips.