Intro to FileVault
Mac computers offer FileVault, a built-in encryption capability, to secure all data at rest. FileVault uses the AES-XTS data encryption algorithm to protect full volumes on internal and removable storage devices.
FileVault on a Mac with Apple silicon is implemented using Data Protection Class C with a volume key. On Mac computers with Apple silicon and Mac computers with the Apple T2 Security Chip, encrypted internal storage devices directly connected to the Secure Enclave leverage its hardware security capabilities as well as that of the AES engine. After a user turns on FileVault on a Mac, their credentials are required during the boot process.
Internal storage with FileVault turned on
Without valid login credentials or a cryptographic recovery key, the internal APFS volumes remain encrypted and are protected from unauthorized access, even if the physical storage device is removed and connected to another computer. In macOS 10.15, this includes both the system volume and the data volume. In macOS 11 or later, the system volume is protected by the signed system volume (SSV) feature, but the data volume remains protected by encryption. For Mac computers with either Apple silicon or T2 chips, internal volume encryption is implemented by constructing and managing a hierarchy of keys. The encryption also builds on the hardware encryption technologies built into the particular chip. This hierarchy of keys is designed to simultaneously achieve four goals:
Require the user’s password for decryption
Protect the system from a brute-force attack directly against storage media removed from Mac
Provide a swift and secure method for wiping content by deleting necessary cryptographic material
Enable users to change their password (and in turn the cryptographic keys used to protect their files) without requiring reencryption of the entire volume
On a Mac with Apple silicon and those with the T2 chip, all FileVault key handling occurs in the Secure Enclave; encryption keys are never directly exposed to the Intel CPU. All APFS volumes are created with a volume encryption key by default. Volume and metadata contents are encrypted with this volume encryption key, which is wrapped with the class key. The class key is protected by a combination of the user’s password and the hardware UID when FileVault is turned on.
Internal storage with FileVault turned off
If FileVault isn’t turned on in a Mac with Apple silicon or a Mac with the T2 chip during the initial Setup Assistant process, the volume is still encrypted but the volume encryption key is protected only by the hardware UID in the Secure Enclave.
If FileVault is turned on later—a process that is immediate since the data was already encrypted—an anti-replay mechanism prevents the old key (based on hardware UID only) from being used to decrypt the volume. The volume is then protected by a combination of the user password with the hardware UID as previously described.
Enforcing FileVault in Setup Assistant
ForceEnableInSetupAssistant key, Mac computers can be required to turn on FileVault during Setup Assistant. This ensures that the internal storage in managed Mac computers is always encrypted before being used. Organizations can decide whether to show the FileVault recovery key to the user or to escrow the personal recovery key. To use this feature, ensure that
await_device_configured is set.
Note: For this feature to work, the user account that was created interactively during Setup Assistant must have the role of Administrator.
Deleting FileVault volumes
When a volume is deleted, its volume encryption key is securely deleted by the Secure Enclave. This prevents future access with this key even by the Secure Enclave. In addition, all volume encryption keys are wrapped with a media key. The media key doesn’t provide additional confidentiality of data, but instead is designed to enable swift and secure deletion of data because without it, decryption is impossible.
On a Mac with Apple silicon and those with the T2 chip, the media key is guaranteed to be erased by the Secure Enclave supported technology—for example, by remote MDM commands. Erasing the media key in this manner renders the volume cryptographically inaccessible.
Removable storage devices
Encryption of removable storage devices doesn’t utilize the security capabilities of the Secure Enclave, and its encryption is performed in the same manner as Intel-based Mac computers without the T2 chip.