Volume encryption with FileVault in macOS
Mac computers offer FileVault, a built-in encryption capability to secure all data at rest. FileVault uses the AES-XTS data encryption algorithm to protect full volumes on internal and removable storage devices.
FileVault on a Mac with Apple silicon is implemented using Data Protection Class C with a volume key. On a Mac with Apple silicon and a Mac with an Apple T2 Security Chip, encrypted internal storage devices directly connected to the Secure Enclave leverage its hardware security capabilities as well as that of the AES engine. After a user turns on FileVault on a Mac, their credentials are required during the boot process.
Note: For Mac computers (1) prior to those with a T2 chip, (2) with internal storage that didn’t originally ship with the Mac or (3) with attached external storage: After FileVault is turned on, all existing files and any further data written are encrypted. Data that was added and then deleted before turning on FileVault isn’t encrypted and may be recoverable with forensic data recovery tools.
Internal storage with FileVault turned on
Without valid login credentials or a cryptographic recovery key, the internal APFS volumes remain encrypted and are protected from unauthorised access even if the physical storage device is removed and connected to another computer. In macOS 10.15, this includes both the system volume and the data volume. Starting in macOS 11, the system volume is protected by the signed system volume (SSV) feature but the data volume remains protected by encryption. Internal volume encryption on a Mac with Apple silicon as well as those with the T2 chip is implemented by constructing and managing a hierarchy of keys and builds on the hardware encryption technologies built into the chip. This hierarchy of keys is designed to simultaneously achieve four goals:
Require the user’s password for decryption
Protect the system from a brute-force attack directly against storage media removed from Mac
Provide a swift and secure method for wiping content via deletion of necessary cryptographic material
Enable users to change their password (and in turn the cryptographic keys used to protect their files) without requiring reencryption of the entire volume
On a Mac with Apple silicon a Mac with a T2 chip, all FileVault key handling occurs in the Secure Enclave; encryption keys are never directly exposed to the Intel CPU. By default, all APFS volumes are created with a volume encryption key. Volume and metadata contents are encrypted with this volume encryption key, which is wrapped with a key encryption key (KEK). The KEK is protected by a combination of the user’s password and hardware UID when FileVault is turned on.
Internal storage with FileVault turned off
If FileVault isn’t turned on in a Mac with Apple silicon or a Mac with the T2 chip during the initial Set-Up Assistant process, the volume is still encrypted but the volume encryption key is protected only by the hardware UID in the Secure Enclave.
If FileVault is turned on later — a process that is immediate because the data has already been encrypted — an anti-replay mechanism helps prevent the old key (based on hardware UID only) from being used to decrypt the volume. The volume is then protected by a combination of the user password with the hardware UID as previously described.
Deleting FileVault volumes
When deleting a volume, its volume encryption key is securely deleted by the Secure Enclave. This helps prevent future access with this key even by the Secure Enclave. Additionally, all volume encryption keys are wrapped with a media key. The media key doesn’t provide additional confidentiality of data; instead, it’s designed to enable swift and secure deletion of data because without it, decryption is impossible.
On a Mac with Apple silicon and a Mac with the T2 chip, the media key is guaranteed to be erased by the Secure Enclave supported technology — for example by remote MDM commands. Erasing the media key in this manner renders the volume cryptographically inaccessible.
Removable storage devices
Encryption of removable storage devices doesn’t utilise the security capabilities of the Secure Enclave and its encryption is performed in the same manner as an Intel-based Mac without the T2 chip.