Reading view

There are new articles available, click to refresh the page.

What’s the future for your Intel Mac?

From its first announcement of Apple silicon Macs on 22 June 2020, there has been speculation as to when support of Intel models will cease. Now Apple has given exceptionally clear details of its future intentions, and we have a clearer idea of what’s coming in macOS Tahoe, we can make plans at last. This article looks at the years ahead. In each case, major events are scheduled to occur with the annual transition of macOS to the next major version, normally in September-October.

2025

Final security update for macOS 13 Ventura, ending support for:

  • iMac 18,1-3
  • MacBook 10,1
  • MacBook Pro 14,1-3.

If you’re still running Ventura on a Mac capable of Sonoma or later, now is the time to plan the upgrade.

2026

Final security update for macOS 14 Sonoma, ending support for:

  • MacBook Air 8,1-2.

First release of an Arm-only version of macOS, 27. However, that and all its updates will continue to include full support for running Intel binaries using Rosetta 2 translation. macOS 27 will be the last major version that supports Rosetta 2 fully in Virtual Machines.

2027

Final security update for macOS 15 Sequoia, ending support for:

  • iMac 19,1-2
  • iMac Pro
  • Mac mini 8,1
  • MacBook Air 9,1
  • MacBook Pro 15,1-4 16,3.

First release of macOS 28, with full Rosetta 2 support removed. Limited Intel binary support will continue for “older unmaintained gaming titles” only. As a result, virtual machines running macOS 28 will no longer be able to run most Intel binaries.

2028

Final security update for macOS 26 Tahoe, ending support for all remaining Intel models:

  • iMac 20,1-2
  • Mac Pro 7,1
  • MacBook Pro 16,1-2 16,4.

T2 firmware updates are almost certain to cease with the end of support for macOS 26. Major third-party vendors are likely to stop providing Universal binaries, as they too drop support for macOS 26 and Intel models. Apple may decide to remove x86 support from Xcode 29, but hasn’t yet made any statement either way.

Benefits of upgrading macOS in Intel models

Although macOS Sequoia and Tahoe have brought some new features for Intel Macs, much of Apple’s emphasis now requires Arm systems. Major reasons for upgrading your Intel Mac to the most recent version of macOS it can run include:

  • Third-party support. Major software vendors like Microsoft normally only support their products on versions of macOS still supported by Apple.
  • Safari is only updated in supported versions of macOS.
  • Bug fixes. Although new versions bring their own bugs, the chances of an existing bug being fixed in the current release of macOS are far greater than it being fixed in an older version.
  • Security vulnerabilities. Only the current version of macOS gets a full set of fixes in each round of security updates, and the older two supported versions often lag the current one.
  • Enhancements. Some new features are still provided for both platforms.
  • Compatibility. If you already use Apple silicon Macs, or intend doing so, they are more compatible when running the same version of macOS. One topical example is Tahoe’s new ASIF disk image format.
  • Quantum-secure encryption. Apple has already started to transition to cryptographic techniques designed to remain secure as and when quantum computers are used in the future to break older methods. This started with iMessage last year, and Apple has announced that macOS 26 Tahoe will support quantum-secure encryption in TLS. This is unlikely to be added retrospectively to older versions of macOS.

I hope you find that helpful in your planning, and wish you success in whatever you choose.

How keys are used in FileVault and encryption

We rely on FileVault and APFS to protect our secrets by encrypting the volumes containing our documents and data. How they do that is a mystery to many, and raises important questions such as the role our passwords play, and how recovery keys work. This article attempts to demystify them.

Naïve encryption

A simple scheme to encrypt a disk or volume might be to take the user password, somehow turn it into a key suitable for the encryption method to be used, and employ that to encrypt and decrypt the data as it’s transferred between disk storage and memory.

There are lots of weaknesses and difficulties with that. Even using a ‘robust’ user password, it’s not going to be memorable, sufficiently long or hard to crack, and there’s no scope for recovery if that password is lost or forgotten.

FileVault base encryption

In Macs with T2 or Apple silicon chips when FileVault is disabled, everything in the Data volume stored on their internal SSD is still encrypted, but without any user password. This is performed in the Secure Enclave, which both handles the keys and performs the encryption/decryption. That ensures the keys used never leave the Secure Enclave, so are as well-protected as possible.

Generating the key used to encrypt the volume, the Volume Encryption Key or VEK, requires two huge numbers, a hardware key unique to that Mac, and the xART key generated by the Secure Enclave as a random number. The former ties the encryption to that Mac, and the latter ensures that an intruder can’t repeat generation of the same VEK even if it does know the hardware key. When you use Erase All Content and Settings (EACAS), the VEK is securely erased, rendering the encrypted data inaccessible, and there’s no means to either recover or recreate it.

This scheme lets the Mac automatically unlock decryption, but doesn’t put that in the control of the user, who therefore needs to enable FileVault to get full protection.

FileVault full encryption

Rather than trying to incorporate a user password or other key into the VEK, like many other encryption systems FileVault does this by encrypting the VEK using a Key Encryption Key or KEK, a process known as wrapping.

filevaultpasswords1

When you enter your FileVault password, that’s passed to the Secure Enclave, where it’s combined with the hardware key to generate the KEK, and that’s then used together with hardware and xART keys to decrypt or unwrap the VEK used for decryption/encryption.

This has several important benefits. As the KEK can be changed without producing a new VEK, the user password can be changed without the contents of the protected volume having to be fully decrypted and encrypted again. It’s also possible to generate multiple KEKs to support the use of recovery keys that can be used to unlock the VEK when the user’s password is lost or forgotten. Institutional keys can be created to unlock multiple KEKs and VEKs where an organisation might need access to protected storage in multiple Macs.

APFS encryption

True FileVault requires all keys to be stored in the Secure Enclave, and never released outside it. Intel Macs without T2 chips, and other protected volumes such as those on external storage can’t use that, and in the case of removable storage need an alternative that stays on the disk. For that, APFS uses the AES Key Wrap Specification in RFC 3394, using a secret such as a password to maintain confidentiality of every key.

APFS also uses separate VEKs and KEKs, so enabling the use of multiple KEKs for a single VEK, and the potential to change a KEK without having to decrypt and re-encrypt the whole volume, as in FileVault. In APFS, VEKs and KEKs are stored in and accessed from Keybags associated with both containers and volumes. The Container Keybag contains wrapped VEKs for each encrypted volume within that container, together with the location of each encrypted volume’s keybag. The Volume Keybag contains one or more wrapped KEKs for that volume, and an optional passphrase hint. These are shown in the diagram below.

apfsencryption1

Apple’s documentation refers to several secrets that can be used to wrap a KEK, including a user password, an individual recovery key, an institutional recovery key, and an unspecified mechanism implemented through iCloud. Currently, for normal software encryption in APFS, only two of those appear accessible: a user password is supported in both Disk Utility and diskutil‘s apfs verb, while diskutil also supports use of an institutional recovery key through its -recoverykeychain options. Individual and iCloud recovery keys only appear available when using FileVault, in this case implemented in software, either on Intel Macs without a T2 chip, or on all Macs when encrypting an external volume.

Because keybags are stored on the disk containing the encrypted volume, if the disk is connected to another Mac, when macOS tries to mount that volume, the user will be prompted to enter its password, and can then gain access to its contents. When FileVault is used to protect a Data volume on the internal SSD of a T2 or Apple silicon Mac, that volume can only be unlocked through the Secure Enclave of that Mac, and it isn’t possible to unlock it from another Mac (that’s also true when FileVault hasn’t been enabled on that volume).

Prepare your Mac for safe disposal

In the next few months, many of us will replace our Macs, and pass on our old ones to relatives, purchasers, or for recycling. This article explains how best to prepare your Mac so that you don’t unintentionally give away anything sensitive to its next owner, or lose anything in the process.

Back up and sign out

Your first steps should ensure that your Mac doesn’t take with it anything that you might miss. That means making at least one full backup, and ensuring you have stored additional copies of important documents in archives.

One store you might forget are its keychains, that could contain old passwords that you might need to recover in the future. While you’re most likely keeping current passwords in the keychain shared in iCloud, older ones might remain, particularly in your old Mac’s login keychain. That should be in its backup, but keeping another copy is wise, and will include any security certificates you might not have used recently.

Next come third-party apps and subscriptions that need to be signed out or transferred. Check carefully through the Applications folder to ensure that you haven’t forgotten any that are still valid. Among those is the need to deauthorise your old Mac for Apple media, something you should do using one of its media apps such as Music or TV, or iTunes if it’s running an older version of macOS.

If it’s an Intel Mac and its firmware password has been enabled, start it up in Recovery and disable that before going any further.

T2 and Apple silicon

If it’s an Intel Mac with a T2 chip, or an Apple silicon Mac, your task is almost complete, as all that’s required now is to Erase All Content and Settings (EACAS).

There is one important exception to this, if you added any more containers or volumes to its internal storage. They aren’t protected by FileVault and the Secure Enclave, so need to be erased separately before using EACAS. This is most secure if those extra volumes or containers were also encrypted, but as you’re about to use EACAS, that should make it well nigh impossible for anyone to piece together the remains of your extra volumes on its SSD.

Start EACAS from System Settings > General > Transfer or Reset > Erase All Content and Settings…. In older versions of macOS that still use System Preferences, open them and it’s offered as a command in the app menu there. Once that’s done, all that remains is to remove that Mac from your account in the Apple Account pane on another Mac or device.

eacas

EACAS handles all the signing out that’s required, and disables Find My Mac and Activation Lock for you. But most importantly it ensures that no one can access the contents of its Data volume, by destroying the encryption keys used to encrypt that volume. Without those keys, it’s practically impossible for anyone to break that encryption and recover any of the protected data.

If your old Mac is going for recycling, you might like to open it up and physically destroy its internal storage, just to be safe.

Intel Macs without T2

EACAS is only available in Macs with T2 or Apple silicon chips. If your Mac doesn’t have either of those you’ll need to perform each step manually, going through

  1. disable Find My Mac and Activation Lock
  2. sign out of iCloud
  3. sign out of iMessage
  4. reset NVRAM
  5. unpair all Bluetooth devices
  6. erase the Mac and, if you’re passing it on to someone else, install macOS
  7. remove that Mac from your account in Apple ID settings.

The biggest challenge is how to erase its storage securely. If it’s going for recycling, you can open it up and physically disrupt its storage, but when you’re passing that Mac on you obviously can’t do that.

If its internal storage is a hard disk, or Fusion Drive, the traditional solution is to perform a Secure Erase using Disk Utility. However, Apple has removed that from Sequoia, so you’ll need to create an external bootable disk with Sonoma or earlier to enable you to do that.

Secure Erase neither works nor is it wise when trying to clean an internal SSD, though. The most practical solution is to turn FileVault on, leave the Mac to complete encrypting the whole of its Data volume, then start it up from an external bootable disk and erase the internal SSD from there.

.AppleSetupDone

In the past, some have recommended deleting the .AppleSetupDone file in /var/db/, which then caused the Setup Assistant to launch when that Mac was next started up, to create a new local user. For a Mac that’s going to be used by someone else, this has never been a wise move, and Apple has stopped that from working in macOS Sonoma 14.0 and later. It’s far better to use EACAS to reset that Mac, then Setup Assistant will run when it next starts up.

Checklist

  • Back up
  • Make additional copies of important documents, keychain(s)
  • Sign out from or transfer third-party apps
  • Deauthorise for Apple media
  • Disable firmware password (Intel)
  • Delete any extra containers or volumes if they’ve been created on internal storage.
  • Erase All Content and Settings (T2, Apple silicon), or manual list above
  • Remove from Apple Account
  • Physically destroy internal storage (if recycling).

Save space on the internal SSD by adding another volume

A basic Mac system consists of the Mac itself and external storage for its backups, and is by far the most popular configuration. For many folk backing up the whole of its Data volume is wise, but that isn’t always the most economical. If the Data volume contains large items that don’t need to be backed up as often as its working folders, that can waste space. This article shows how you can make it more efficient without additional cost or hardware.

Backups and local snapshots

Most good backup utilities including Time Machine also make local snapshots of the volumes they back up. Let’s say your Data volume contains 100 GB of files that either change little or don’t need to be backed up as frequently as the rest. One proven strategy for minimising the time and storage required for backups is to add those to the exclusion list, and back them up separately, maybe only once a week. You can do that to another volume on external storage, provided you ensure there’s sufficient space for both that and your normal automatic backups.

What that doesn’t do is keep those 100 GB out of the frequent snapshots made of the Data volume. While you can exclude files and folders from backups, snapshots always include everything in that volume, without exclusions. The only way to save the space they add to snapshot size is to move them to another volume that doesn’t get snapshots made of it. But your Mac’s standard disk layout doesn’t provide any spare volume for that.

This could apply to all sorts of relatively static data that doesn’t need Time Machine’s automatic hourly backups, including Virtual Machines and some large media libraries, although you won’t then be able to share these in iCloud Drive, which would require them to be in your Data volume.

Boot disk layout

Standard layout of the internal SSD of an Apple silicon Mac running Sequoia or earlier is shown below.

BootDiskStructureMSeq

Intel Macs have the same Apple APFS container with the Boot Volume Group in it, but the other two containers are replaced by a single small EFI partition.

Adding another partition or container is possible, but not recommended as it has a fixed size, and lacks the flexibility of a volume. It also risks disturbing the three existing partitions/containers. As they’re essential for the Mac to start up successfully, you don’t want to meddle with them.

In practice, the best place to add a new volume is inside the third container, the one already holding the System and Data volumes. Add that in Disk Utility once you’ve decided the next two steps.

Limit volume size

Your new volume is going to share space in its container with all the existing volumes, including both System and Data. It’s usually wise to impose a maximum limit on the size it can grow to, to avoid compromising any of those. When you add the new volume, put a sensible limit on its Quota Size.

Encryption

Although Apple’s documentation isn’t explicit, volumes added to the boot container aren’t protected by FileVault, unlike the Data volume. If you want your extra volume to be encrypted, you’ll have to format it in APFS (Encrypted). Whether that’s accelerated by the hardware in the Secure Enclave isn’t clear, and on Apple silicon Macs it’s hard to tell the difference, as you should get similar full speed performance from your extra volume to that of the Data volume.

Setting it up

Open Disk Utility, ensure its View options are set to Show All Devices, then select the Container holding the boot volumes. Click the + tool to add the new volume.

Give the volume a name, then click on the Size Options… button.

Enter your chosen Quota Size, as the maximum you want to allow the extra volume to use on the boot SSD, and click OK.

Then select whether you want it formatted in plain APFS, or encrypted, and click the Add button.

If you’ve opted for APFS (Encrypted) you’ll then be prompted to enter the encryption password. Unlike FileVault, there’s no option for a Recovery Key, or for iCloud Recovery.

When you first unlock the extra volume, you’ll be given the option to save its password to your keychain. That confirms this isn’t being performed by FileVault, as that protects its encryption keys in the Secure Enclave.

There are a couple of quirks:

  • If you try unmounting the extra volume using the Finder’s contextual menu, macOS might try to unmount all volumes on the boot disk, and warn you that it can’t. Simply cancel those warnings, and the extra volume should unmount fine. If you’re worried by this, unmount the volume in Disk Utility, which isn’t as silly.
  • You can use the Finder contextual menu to encrypt or decrypt the volume if you change your mind.

Summary

  • To save space in local snapshots made for backups of your Data volume, move bulky items that you back up separately to an extra volume alongside the Data volume.
  • Set a Quota Size on the extra volume to limit the maximum space it can take.
  • Use plain APFS or APFS (Encrypted) as the extra volume can’t be protected by FileVault.
  • If you encrypt the volume, safeguard its password as there’s no recovery option if you lose it.
  • The extra volume performs as well as any other volume on the internal SSD, and is far faster than using external storage.

❌