Apple deprecates Filevault - what now?

[New_Mac_Pro_Now!]

hello,
after the original problems with bootable backups under Big Sur were solved thanks to Carbon Copy Cloner, the problems have increased again with Monterey...
Using the CCCs recommendet method (delete/format with APFS+guid, then use the Assistant for old bootable copies) i can only backup new M1s with little used hard drive space (100GB). A 2018 Intel iMac with 750 GB Data (Monterey) fails to create a bootable backup with CCCs recommendet method for the umpteenth time and I think I give up now.

The main reason I want to keep bootable backups is in order not to lose the secure Filevault-Encryption. No bootable backup means no Filevault security-level - or am I missing something here?
The APFS-encrypted-formatting is hardly a proven alternative.

Today Mike Bombich from CCC wrote the following to me:
>One last parting comment if I haven't yet convinced you to forgo the bootable copies – Apple has broken this functionality on macOS 12.3 for Apple Silicon Macs.
>We're up to 12.3 beta 5 at this point, and I believe the final update is imminent. I tested this functionality again just yesterday on 12.3b5, and it's still broken on Apple Silicon Macs.
>I don't anticipate this to be a practical solution (nor a necessary solution) for Apple Silicon Macs.

This sucks big time. How does Apple think we are going to make Filevault-encrypted disks in the future? Has this been discussed somewhere?
Are there any alternatives? Are there people outside of Apple Park brandishing pitch-forks already?
I mean what gives?
They are just silently burying Filevault and expect the users to keep quiet?
Thanks for your input &
regards

 

[chabig]

I am going to say this as gently as possible. You missed the point. Apple has not wavered one iota in their commitment to FileVault encryption. It's still with us and still strong as ever. What Apple has done on the latest machines is eliminate the ability to make bootable backups. That has nothing to do with FileVault encryption. Mike has talked about this before. Bootable backups combined two things in one–-a way to boot a machine if the boot volume has problems, and a data backup. The M1 machines separate these two functions. If the boot volume becomes corrupted, there are two hidden boot volumes (Recovery, and Fallback Recovery) from which to boot and repair the main volume. As for backing up your data, well, Time Machine and CCC still have you covered.

 

[New_Mac_Pro_Now!]

You clearly missed my point:
How does one maintain Filevault-encrypted external/backup media when Filevault encryption can only be
initiated from within a bootable file-system and bootable backups are no longer supported?
Have you got an answer to this question?

 

[chabig]

I guess I don't understand what you're asking. I have several external FileVault encrypted drives and none of them are bootable. I read/write to them by plugging them into my Mac.

 

[svenmany]

Why do you say "The APFS-encrypted-formatting is hardly a proven alternative."?

I had thought FileVault encryption used APFS encrypted formatting, and then adds a some convenience features on top of it (like login/decrypt coordination).

 

[New_Mac_Pro_Now!]

>I had thought FileVault encryption used APFS encrypted formatting, and then adds a some convenience features on
>top of it (like login/decrypt coordination).
Is that so?

 

[svenmany]

You're talking to an amateur.

However, I found the quote

Yes, CCC 5 can clone to and from encrypted APFS volumes (aka FileVault encryption).

at https://bombich.com/kb/ccc5/everything-you-need-know-about-carbon-copy-cloner-and-apfs.

The "aka" part lends some credence to my vague intuition. I have read a more detailed discussion but can't find it at the moment.

 

[gilby101]

How does one maintain Filevault-encrypted external/backup media when Filevault encryption can only be
initiated from within a bootable file-system and bootable backups are no longer supported?

Just like you would with the internal macOS.
1. Create a macOS install on an unencrypted external drive.
2. Boot it, and encrypt with FileVault.
You can then put whatever you want on the external disk to support your recovery efforts following some specific disasters.

 

[New_Mac_Pro_Now!]

I'd like to believe you,

Just like you would with the internal macOS.
1. Create a macOS install on an unencrypted external drive.
2. Boot it, and encrypt with FileVault.
You can then put whatever you want on the external disk to support your recovery efforts following some specific disasters.

Beginning with Monterey 12.3 this will not be possible, Bombich wrote (see my first post).

 

[Mike Boreham]

I'd like to believe you,

Beginning with Monterey 12.3 this will not be possible, Bombich wrote (see my first post).

As others have said a clone of the -Data volume of a bootable drive, is just a data drive like one containing only docs and photos. You can either encrypt it when formatting in Disk Utility before cloning, or use Finder > right click > encrypt after cloning.

 

[madrigal77]

Just don't use FileVault. All it does is make recovery much more difficult. Unless you work for the NSA or something, you're data isn't that interesting!!

 

[Lisimba]

Just don't use FileVault. All it does is make recovery much more difficult. Unless you work for the NSA or something, you're data isn't that interesting!!

Do not follow this suggestion

 

[TiggrToo]

Just don't use FileVault. All it does is make recovery much more difficult. Unless you work for the NSA or something, you're data isn't that interesting!!

Awful awful awful "advice".

Security has nothing to do with being like the NSA. It's basic common sense.

You should also shred all personal documents before recycling or tossing them.

Please never suggest this again - you do you by all means - but you're putting other people's data at risk by suggesting that they shouldn't utilize whole disk encryption.

 

[TiggrToo]

hello,
after the original problems with bootable backups under Big Sur were solved thanks to Carbon Copy Cloner, the problems have increased again with Monterey...
Using the CCCs recommendet method (delete/format with APFS+guid, then use the Assistant for old bootable copies) i can only backup new M1s with little used hard drive space (100GB). A 2018 Intel iMac with 750 GB Data (Monterey) fails to create a bootable backup with CCCs recommendet method for the umpteenth time and I think I give up now.

The main reason I want to keep bootable backups is in order not to lose the secure Filevault-Encryption. No bootable backup means no Filevault security-level - or am I missing something here?
The APFS-encrypted-formatting is hardly a proven alternative.

Today Mike Bombich from CCC wrote the following to me:
>One last parting comment if I haven't yet convinced you to forgo the bootable copies – Apple has broken this functionality on macOS 12.3 for Apple Silicon Macs.
>We're up to 12.3 beta 5 at this point, and I believe the final update is imminent. I tested this functionality again just yesterday on 12.3b5, and it's still broken on Apple Silicon Macs.
>I don't anticipate this to be a practical solution (nor a necessary solution) for Apple Silicon Macs.

This sucks big time. How does Apple think we are going to make Filevault-encrypted disks in the future? Has this been discussed somewhere?
Are there any alternatives? Are there people outside of Apple Park brandishing pitch-forks already?
I mean what gives?
They are just silently burying Filevault and expect the users to keep quiet?
Thanks for your input &
regards

Your post title is misleading.

Apple have not deprecated FileVault.

What Apple have done is removed the option to create 3rd party Bootable backups.

In the meantime you can use Time Machine for that purpose, or backup your files with any backup tool available outside of a Bootable backup.

I have Arq backing up to the cloud and my NAS, Time Machine to an external drive and also file synchronization keeping multiple folders in sync on my NAS as well.

And yes, I have FileVault turned on.

 

[gilby101]

Beginning with Monterey 12.3 this will not be possible, Bombich wrote (see my first post).

You have misunderstood what is going on. We don't have all of Bombich's words, but I believe he is only talking about making bootable clones. It is still possible to create bootable macOS on external drives, boot it, encrypt with FileVault and add whatever other stuff you want.

As @TiggrToo says:

What Apple have done is removed the option to create 3rd party Bootable backups.

 

[tjktony]

You have misunderstood what is going on. We don't have all of Bombich's words, but I believe he is only talking about making bootable clones. It is still possible to create bootable macOS on external drives, boot it, encrypt with FileVault and add whatever other stuff you want.

As @TiggrToo says:

Just like you would with the internal macOS.
1. Create a macOS install on an unencrypted external drive.
2. Boot it, and encrypt with FileVault.
You can then put whatever you want on the external disk to support your recovery efforts following some specific disasters.

Keeping it updated is where the problem comes in. Right now, in three clicks and about 50 seconds I can complete a CCC backup with FV enabled on the bootable backup. It looks like that will not be the case in the near future.

 

[Fishrrman]

I don't use filevault.
I've never used it.
Nothing I have on my drives is THAT "interesting" to anyone.

Having said that...
The point of having a "backup" is having a method to easily access data in an emergency.
If you make it difficult to get at that data (such as using encryption on a backup), it may make it impossible to "get at the data" in a moment "of extreme need".
If the data is that sensitive, hide the backup drive someplace or keep it in a safe.

I WANT my data to be "easy-to-get-to" in an emergency.

My opinion only.
Others will disagree.
Some will disagree vehemently.

 

[svenmany]

I don't use filevault.
I've never used it.
Nothing I have on my drives is THAT "interesting" to anyone.

I can't argue with you since I don't know what's on your computer. If my laptop were stolen, there's a ton of information on it that could be used for identity theft.

You have to ask yourself whether you'd be OK selling your computer without wiping the disk. If the answer is no, then the same logic could be applied to theft of your computer. Encryption is just prudent unless you can guarantee that no one can gain physical access to your computer without your permission.

 

[Mike Boreham]

I don't use filevault.
I've never used it.
Nothing I have on my drives is THAT "interesting" to anyone.

Having said that...
The point of having a "backup" is having a method to easily access data in an emergency.
If you make it difficult to get at that data (such as using encryption on a backup), it may make it impossible to "get at the data" in a moment "of extreme need".
If the data is that sensitive, hide the backup drive someplace or keep it in a safe.

I WANT my data to be "easy-to-get-to" in an emergency.

My opinion only.
Others will disagree.
Some will disagree vehemently.

If you have never used it you perhaps don't realise that even with it enabled your data is still very "easy to get at" in an emergency or otherwise.

 

[madrigal77]

Awful awful awful "advice".

Security has nothing to do with being like the NSA. It's basic common sense.

You should also shred all personal documents before recycling or tossing them.

Please never suggest this again - you do you by all means - but you're putting other people's data at risk by suggesting that they shouldn't utilize whole disk encryption.

Actually if you care about recovering your data, it's good "advice". If an update goes wrong or something else happens to corrupt your drive, you're not getting those files back on an encrypted drive. I've seen it happen a few times.

Unless you have reason to believe someone is specifically targeting you, a strong password is enough.

And yes, you should shred personal documents. And no, it's not the same thing.

 

[TiggrToo]

Actually if you care about recovering your data, it's good "advice". If an update goes wrong or something else happens to corrupt your drive, you're not getting those files back on an encrypted drive. I've seen it happen a few times.

Unless you have reason to believe someone is specifically targeting you, a strong password is enough.

And yes, you should shred personal documents. And no, it's not the same thing.

It's terrible advice. Period. Zero reason in this day and age to advise someone to not encrypt their drive if the OS supports it.

Backups solve the other problem you describe.

There - encryption AND document safety. Who said you can't have both.

 

[chabig]

Keeping it updated is where the problem comes in. Right now, in three clicks and about 50 seconds I can complete a CCC backup with FV enabled on the bootable backup. It looks like that will not be the case in the near future.

Keeping a clone updated is easy. Just run CCC whenever you want to update it. You can even schedule CCC.

 

[svenmany]

Unless you have reason to believe someone is specifically targeting you, a strong password is enough.

I suspect it's careless, unlucky people who suffer rather than people who are targeted.

 

[chabig]

Unless you have reason to believe someone is specifically targeting you, a strong password is enough.

A password does nothing to protect unencrypted data on an external drive.

 

[tjktony]

Keeping a clone updated is easy. Just run CCC whenever you want to update it. You can even schedule CCC.

Please read my reply in the context of the whole thread. Right now, that works. As of 12.3, supposedly that isn't going to work anymore.