How FileVault and the T2 Security Chip work together in newer Macs

Macs with a T2 chip always encrypt their drives. Why is FileVault necessary?

Today's Best Tech Deals

Picked by Macworld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

Newer Macs come with a T2 Security Chip with its own Secure Enclave, a tamper-resistent bit of silicon that allows high levels of security just like on an iPhone and iPad. It’s used to enable Touch ID and allow Apple Pay on laptops, but it also handles a number of other tasks, including full-disk encryption. (The T2 chip began appearing in Macs with the iMac Pro in very late 2017; see this list to check if you’re not sure if yours is one of them.)

On pre-T2 models, macOS uses a combination of software and hardware-accelerated encryption to encrypt all the data on your disk using FileVault, which can be turned on and off via the Security & Privacy preference pane’s FileVault tab. It can take an extremely long time for FileVault to encrypt a drive completely the first time on these older Macs and bog down a system while it is underway. Afterwards, Macs generally handle live reading and writing at almost the same speed as if the data weren’t encrypted.

FileVault prevents the data on a disk at rest—not powered up and logged in—from being extractable in any effective way. The data is just a bunch of digital garbage without access to the key, and the key can’t be retrieved without the password of one of the FileVault-linked accounts on the Mac, which has to be entered at startup time to unlock the drive.

imac27inch IDG/Roman Loyola

The just-released 27-inch iMac is equipped with the T2 security chip.

With the T2 chip managing encryption, what is FileVault left to do on these models? It’s rather subtle.

With FileVault off on a T2-bearing Mac, if a ne’er-do-well extracted the drive from a Mac, the contents remain inaccessible. That’s an improvement over pre-T2 Macs, where the non-FileVault-protected contents would be fully readable. It’s a baseline security improvement. (As a result, by the way, T2-equipped Macs that receive an Erase This Device command via Find My Device become nearly instantly “erased,” just like a Mac with no T2 chip and FileVault enabled: erasing the encryption key renders the drive’s contents permanently irretrievable.)

However, without enabling FileVault, a Mac merely has to be booted for the full-disk encryption to start working, even if it doesn’t automatically log into an account. While the encryption is locked to a hardware key managed by the Secure Enclave in the T2 chip, decryption kicks in as soon as the Mac boots to a login screen. A malicious party might be able to subvert macOS or use hardware methods to access data from the mounted and running drive.

Turn on FileVault, however, and a T2-equipped Mac engages in the same boot behavior as one that handles disk encryption in software. Instead of loading macOS directly, the Recovery partition boots in a special mode that requires entry of the password of any account allowed to use FileVault. Until that password is entered, the disk’s contents remain encrypted just as if it were at rest.

I recommend enabling FileVault on T2-equipped Macs for the greatest security and peace of mind. The bonus? Because the T2 chip has already encrypted the drive, there’s no overhead and no delay: FileVault is immediately enabled.

Ask Mac 911

We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate, and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.

Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read our affiliate link policy for more details.
Related:
  
Shop Tech Products at Amazon