It has been 22 years since Apple’s first version of FileVault was introduced in Mac OS X 10.3 Panther. Since then it has changed beyond all recognition, and has been transformed from a questionable option to an essential feature of Apple silicon Macs. This article explains those changes, and how enabling FileVault is now a no-brainer.

The past

FileVault 1 was very different. For a start, it didn’t attempt to encrypt whole volumes, as that still isn’t built into HFS+ and only became possible in Mac OS X 10.7 Lion, when Apple added a logical volume manager, Core Storage. So this first effort stored your Home folder in an encrypted disk image, something that also proved easy to crack.

Apple’s second attempt at FileVault proved more successful, with Core Storage handling the encryption of whole HFS+ volumes. This required encryption and decryption to be performed in software, in the days when most CPUs didn’t have instructions to accelerate that. When you first enabled FileVault, macOS had to encrypt the entire contents of the boot volume, which before Catalina included the whole of the system as well as user data. Fortunately, Apple engineered this initial encryption to run in the background while you were still using your Mac. Even so, it could take several days before it was complete and FileVault became active.

This improved with time. Intel CPUs gained instructions to accelerate encryption and decryption, storage and processors got faster, and Apple’s new file system APFS has encryption designed into it from the start. What transformed FileVault, though, was the introduction of the T2 chip in 2017.

The T2 chip was designed for FileVault, among its other accomplishments. It contains a Secure Enclave to isolate and protect encryption keys, and a hardware AES encryption/decryption engine that sits between the internal SSD controller and memory. Those ensure that the contents of the internal SSD can be encrypted for FileVault without any detectable overhead. From Big Sur onwards, these are used to encrypt the whole contents of the Data volume when it’s in internal storage, but not the System volume or the SSV from which the Mac boots.

FileVault base encryption

In Macs with T2 or Apple silicon chips when FileVault is disabled, everything in the Data volume stored on their internal SSD is still encrypted, but without any user password.

Generating the key used to encrypt the volume, the Volume Encryption Key or VEK, requires two huge numbers, a hardware key unique to that Mac, and the xART key generated by the Secure Enclave as a random number. The former ties the encryption to that Mac, and the latter ensures that an intruder can’t repeat generation of the same VEK even if it does know the hardware key. When you use Erase All Content and Settings (EACAS), the VEK is securely erased, rendering the encrypted data inaccessible, and there’s no means to either recover or recreate it.

This scheme lets the Mac automatically unlock decryption, but doesn’t put that in the control of the user, who therefore needs to enable FileVault to get full protection.

FileVault full encryption

Rather than trying to incorporate a user password or other key into the VEK, like many other encryption systems FileVault does this by encrypting the VEK using a Key Encryption Key or KEK, a process known as wrapping.

When you enter your FileVault password, that’s passed to the Secure Enclave, where it’s combined with the hardware key to generate the KEK, and that’s then used together with hardware and xART keys to decrypt or unwrap the VEK used for decryption/encryption. This means that the primary user’s FileVault password is the same as their regular login password. It doesn’t have to be long and complicated either, as it’s combined with the hardware key to create the KEK.

This has several important benefits. When you first turn FileVault on, no data encryption is needed, as the VEK remains the same, so FileVault’s protection is effective immediately. Because the KEK can be changed without producing a new VEK, the user password can be changed without the contents of the protected volume having to be fully decrypted and encrypted again.

Recovery keys

It’s also possible to generate multiple KEKs to support the use of recovery keys that can be used to unlock the VEK when the user’s password is lost or forgotten. Institutional keys can be created to unlock multiple KEKs and VEKs where an organisation might need access to protected storage in multiple Macs.

When you enable FileVault, you’re given the option of being provided with a recovery key, which you should keep a copy of in a safe place, or using iCloud recovery if you prefer.

In the recent past, some macOS updates have played games with recovery keys, issuing new ones when they weren’t expected. When you first get your recovery key, and any time it changes, you should check to see if it will work correctly. Once your Mac is running fully, open Terminal and type in the command
sudo fdesetup validaterecovery
After entering your admin password, you’ll then be prompted to enter the recovery key to be checked. Type or paste that in carefully, and you’ll be told whether it’s correct or not. Note that Terminal doesn’t display the key when you type or paste it in, and you’ll have to press Return without being able to see or check what you’ve entered. If that new key fails, repeat the command using your previous recovery key instead.

FileVault on other disks

The Secure Enclave and AES engine are only wired up to protect volumes on your Mac’s internal SSD. You can still enable FileVault on bootable external disks, and even in macOS virtual machines. But in those cases, volumes that are protected use Encrypted APFS in software, which does impose a small overhead. In the case of VMs, FileVault is the only effective way to safeguard data in that VM, and is recommended. For external disks you’ll need to weigh up the pros and cons.

Summary

• FileVault in modern T2 and Apple silicon Macs is very different from in the past.
• It now provides excellent cost-free protection to your data when stored on the internal SSD.
• If you opt for a recovery key, check it then and whenever it has changed.
• If your T2 or Apple silicon Mac doesn’t have FileVault enabled, why not?