Mac Security: Encryption

Topic

New Reply

Windows PC users are used to hearing about BitLocker drive encryption and other encryption features in Windows that offer an additional level of protection for securing hard drives.

Mac users also get to enjoy built-in encryption in macOS (and since there is only one version of macOS that ships, it does not require running a “Pro” or “Ultimate” or “Enterprise” flavor to get access to the encryption features).

FileVault 2

The feature that allows for encrypting one’s internal hard drive is known as FileVault, although longtime Mac users may refer to it as FileVault 2. What’s the difference between FileVault 2 and FileVault “1” (also known as legacy FileVault)? Legacy FileVault/FileVault “1” (Snow Leopard and before) only encrypted a user’s home directory (not the entire drive) using AES 128 Bit encryption. There were some issues with legacy FileVault’s performance, backups using Time Machine, and some operating system upgrades and migrations, so at times one would need to disable legacy FileVault when performing certain actions.

FileVault 2 (Lion and later) offers full-drive encryption, better performance over legacy FileVault, and better compatibility with Time Machine backups, operating system upgrades and migrations, etc.

Setting up FileVault 2 is easy (instructions here). On legacy FileVault, a “master password” was created that allowed one to access FileVault-encrypted home directories in the event of a password being lost. With FileVault 2, a recovery key is generated that is required to use to access a FileVault 2-encrypted volume in the event of a password being lost. The recovery key can either be stored locally or printed or it can be stored in iCloud, allowing Apple to assist with the recovery process if need be.

T2 Security Chip Hardware Full-Drive Encryption

Macs with T2 security chips installed already include hardware full-drive encryption out of the box, although it is still a good idea to enable FileVault 2 on the drive. On Macs with a T2 security chip, FileVault 2 enabling happens near instantaneously due to the T2 chip. On Macs without a T2 security chip, full-drive encryption can take a while to apply to the drive.

Encrypting External Hard Drives

External hard drives and flash drives can also have encryption applied to them easily using the built-in tools in macOS (instructions available here). They need to be formatted using either APFS or HFS+ format using GUID partitioning. I also recommend encrypting Time Machine backups, which is as easy as checking “encrypt backups” when creating the initial Time Machine backup.

Sharing Encrypted Files With Other Mac Users

One can also share encrypted files with other Mac users by creating an encrypted disk image using macOS (which acts as a virtual hard drive), then sharing the encrypted disk image on another hard drive, flash drive, via email, or cloud sharing (instructions on creating encrypted disk images available here).

Third-Party Encryption Software

In the past, I also used Intego’s FileGuard for encrypting files, although the software has long been discontinued for good reason. FileGuard required the installation of Intego’s software, as well as an annual license, to use it. With the built-in encryption features in macOS, Mac users have solid choices for file encryption without the need for third-party software.

Nathan Parker

2 users thanked author for this post.

DrBonzo, Myst

Reply | Quote

Replies

Thanks Nathan, I knew about encryption with external flash drives and also with Time Machine backups on my external HD, but I don’t use FileVault basically because I didn’t know enough before taking advantage of it. As usual, you’ve passed along some good info and I appreciate it.

MacOS iPadOS and sometimes SOS

Reply | Quote

Glad to assist!

Nathan Parker

Reply | Quote

How does it work with SSDs with hardware encryption and the recently disclosed issues?
https://www.tomshardware.co.uk/crucial-samsung-ssd-encryption-bypassed,news-59386.html

cheers, Paul

Reply | Quote

Paul T wrote:

How does it work with SSDs with hardware encryption and the recently disclosed issues? https://www.tomshardware.co.uk/crucial-samsung-ssd-encryption-bypassed,news-59386.html cheers, Paul

The link you posted refers to a Windows based system and not Mac. On my Mac I have a 512 gb Flash, or interchangeably it’s referred to as a built in SSD. I also have files backed up on a Toshiba external HD and Samsung USB flash, both are encrypted. No issues with anything on the Mac as far as storage and backup.

MacOS iPadOS and sometimes SOS

Reply | Quote

I don’t know what disks Macs run, but that disk is agnostic, so it could be in a Mac.
It’s really a question of what encryption is run on the Mac, software or hardware?

cheers, Paul

Reply | Quote

Here’s some information that should assist with answering your questions:

• Legacy FileVault/FileVault “1” uses software encryption to encrypt the home directory only.
• FileVault 2 on Macs without T2 security chips installed uses software encryption to encrypt the entire internal drive.
• Macs with T2 security chips use hardware encryption to encrypt the entire internal drive, plus FileVault 2 (when enabled) works faster with the hardware encryption.
• External drives plugged into Macs use software encryption so they are encrypted on either Macs with or without T2 security chips.
• Time Machine backups are encrypted with software encryption in case they need to be accessed on Macs with or without T2 security chips.
• Encrypted disk images are encrypted with software encryption since they can be opened on virtually any Mac, with or without T2 security chips.

Additionally, Macs with T2 security chips handle the encryption at the T2 security chip level, and all their SSD’s are specific forms of SSD’s soldered to the logic board, not the type of SSD’s mentioned in the article.

So therefore, any Mac you’d purchase with a T2 security chip should be immune from this issue when it comes to hardware encryption, and if you were to use any of these drives, they would utilize software encryption instead.

Nathan Parker

2 users thanked author for this post.

Paul T, Myst

Reply | Quote