Apple deprecates Filevault - what now?

[chabig]

Please read my reply in the context of the whole thread. Right now, that works. As of 12.3, supposedly that isn't going to work anymore.

It will continue to work. Mark my word. No evidence in this thread suggests otherwise, just some unsupported statements based on rumor. Evidence would be Mike Bombich, the developer of CCC, saying so in his blog. He hasn’t.

Encrypted drives behave just like normal drives. There is no reason to believe that backups to encrypted drives will fail. If you can store data on it, you can backup data to it. It won’t be bootable, and it won’t matter.

And…I could be wrong. I don’t think so, but we will soon see.

 

[tjktony]

It will continue to work. Mark my word. No evidence in this thread suggests otherwise, just some unsupported statements based on rumor. Evidence would be Mike Bombich, the developer of CCC, saying so in his blog. He hasn’t.

Encrypted drives behave just like normal drives. There is no reason to believe that backups to encrypted drives will fail. If you can store data on it, you can backup data to it. It won’t be bootable, and it won’t matter.

So you think the OP completely made up the following quote from Bombich? I don't think so.

"Today Mike Bombich from CCC wrote the following to me:
>One last parting comment if I haven't yet convinced you to forgo the bootable copies – Apple has broken this functionality on macOS 12.3 for Apple Silicon Macs.
>We're up to 12.3 beta 5 at this point, and I believe the final update is imminent. I tested this functionality again just yesterday on 12.3b5, and it's still broken on Apple Silicon Macs.
>I don't anticipate this to be a practical solution (nor a necessary solution) for Apple Silicon Macs."

 

[chabig]

Bombich is just reiterating that bootable backups are no longer a thing. Encrypted, clone, data backups still exist and will continue to exist. They protect users from hardware failures. Bootability is not required to achieve that purpose. Apple Silicon Macs have three ways to boot already—the normal OS, recovery OS, and fallback OS.

 

[Mike Boreham]

If you have never used it you perhaps don't realise that even with it enabled your data is still very "easy to get at" in an emergency or otherwise.

@chabig .... very puzzled that you reacted to this post with an "angry"?

Let me say it another way....Backups protected by FileVault or encryption are still very easy to access in an emergency.

Perhaps I should have added the proviso that you have good password access and management.

 

[Mike Boreham]

Bombich is just reiterating that bootable backups are no longer a thing. Encrypted, clone, data backups still exist and will continue to exist. They protect users from hardware failures. Bootability is not required to achieve that purpose. Apple Silicon Macs have three ways to boot already—the normal OS, recovery OS, and fallback OS.

In spite of Bombich's position on Bootable backups (with which I agree) it has been possible in 12.2 to make bootable clones with both CCC and Superduper!. They both use the Apple ASR tool to clone the System volume which can only be done to an erased destination. Which means any time macOS is updated you have to erase the destination and do a fresh clone. It works and I have done it with both, (as tests since I don't use bootable clones). It has been a long and bumpy road to reach this point.

What Bombich is saying is that the ASR tool has stopped working in 12.3, so it is back to -Data volume clones which is fine by me. You are right he is not saying anything about encrypted backups which will continue as before.

Interesting that Bombich of CCC and Dave Nanian of Superduper! have taken opposite positions on bootable clones. Both have provided it (up to 12.2) but it is not the default and not recommended by CCC, while Superduper! glosses over the problems and presents it as fully capable.

 

[chabig]

@chabig .... very puzzled that you reacted to this post with an "angry"?

Mike, I'm very glad that you expressed puzzlement. I owe you a big apology. I completely misunderstood your post. I agree with you 100% that backups protected by encryption are no harder to use than unencrypted backups. All of my backup drives are encrypted.

 

[Makisupa Policeman]

Just don't use FileVault. All it does is make recovery much more difficult. Unless you work for the NSA or something, you're data isn't that interesting!!

I wouldn’t use it—imagine not being able to recover precious family memories and photos because you can’t remember your encryption password 😖 But I’m not giving this advice to anyone else—ymmv depending how worried you are about your personal info falling into the wrong hands.

 

[gilby101]

imagine not being able to recover precious family memories and photos because you can’t remember your encryption password

Come off it. There is no need to remember encryption passwords (I certainly don't). Just keep them a secure place, which can be accessed in the event of a major disaster.

 

[Makisupa Policeman]

Come off it. There is no need to remember encryption passwords (I certainly don't). Just keep them a secure place, which can be accessed in the event of a major disaster.

I just have no need for FileVault, and I’d rather not have to worry about it.

This isn’t advice for anyone else. As I said YMMV.

 

[HDFan]

there's a ton of information on it that could be used for identity theft.

I have given up worrying about identity theft. If you use the internet, automatic payments via credit card, on-line backing or investing, etc. just assume that your information will eventually be compromised. I have had 3 major breeches in the last 2 years:

1. Someone filed an income tax form requesting a refund using my identity.

2. A credit card that I almost never use was compromised and several large purchases made on it.

3. My main credit card, which is used for a lot of automatic payments, was compromised when someone called my bank and changed my address to something else, after making a $3K charge.

(1) was a bit of hassle as it involved the IRS. Resolved a few months ago when I got my 2019 refund.
(2) and (3) I was notified by the banks about possible fraud. They sent me new cards and for (3) corrected my address with new security questions. No $ losses.

There are much more important issues in the world to worry about right now than identity theft. I'm not going to worry about it. Having all of my monthly payments made automatically is worth the risk. If I get a major problem I have insurance which will assist in the fix and remimburse me for any $ losses.

 

[Mike Boreham]

I have given up worrying about identity theft. If you use the internet, automatic payments via credit card, on-line backing or investing, etc. just assume that your information will eventually be compromised. I have had 3 major breeches in the last 2 years:

1. Someone filed an income tax form requesting a refund using my identity.

2. A credit card that I almost never use was compromised and several large purchases made on it.

3. My main credit card, which is used for a lot of automatic payments, was compromised when someone called my bank and changed my address to something else, after making a $3K charge.

(1) was a bit of hassle as it involved the IRS. Resolved a few months ago when I got my 2019 refund.
(2) and (3) I was notified by the banks about possible fraud. They sent me new cards and for (3) corrected my address with new security questions. No $ losses.

There are much more important issues in the world to worry about right now than identity theft. I'm not going to worry about it. Having all of my monthly payments made automatically is worth the risk. If I get a major problem I have insurance which will assist in the fix and remimburse me for any $ losses.

Wow! 3 major breaches in 2 years! Maybe (just maybe) you could have avoided some of that hassle (which would have had me shxxxing bricks) by using the basic security tools, like FileVault, provided to us.

Banks and Insurance companies absorbing the cost of your breeches drives up costs for everyone else, as well as encouraging the bad guys to keep trying their luck.

And you are right, there are more important things to worry about, but avoiding all that hassle would give more time for doing so.

 

[Mike Boreham]

I completely misunderstood your post.

Then I am the one to blame for the way I expressed it.

 

[The Man]

Superduper does encrypted bootable backup, but it has to be done in two steps. The first clone you make is not encrypted. You then have to boot into the external backup. Turn on Filevault and let it encrypt. When this is done, you can do Smart Backup encrypted bootable backup of your Mac.

 

[tjktony]

Superduper does encrypted bootable backup, but it has to be done in two steps. The first clone you make is not encrypted. You then have to boot into the external backup. Turn on Filevault and let it encrypt. When this is done, you can do Smart Backup encrypted bootable backup of your Mac.

That's the process for CCC too.

 

[HDFan]

Maybe (just maybe) you could have avoided some of that hassle (which would have had me shxxxing bricks) by using the basic security tools, like FileVault, provided to us.

Firevault won't help with external web database breeches. I was for a long paranoid about security. I follow best practices for all websites which have my data. Both usernames and passwords are all 20 randomized characters/numbers/symbols and are unique for each login. I have several identify theft subscriptions to search for compromised data. Almost all my data is out there now including my SS number and a cellphone number which I almost never put on websites. Thank you - T-mobile!

 

[Mike Boreham]

Firevault won't help with external web database breeches. I was for a long paranoid about security. I follow best practices for all websites which have my data. Both usernames and passwords are all 20 randomized characters/numbers/symbols and are unique for each login. I have several identify theft subscriptions to search for compromised data. Almost all my data is out there now including my SS number and a cellphone number which I almost never put on websites. Thank you - T-mobile!

Agreed. FileVault is just one of many tools, and might help prevent Identity theft. But anyway it sounds like you care much more, and take many more precautions than your previous post implied, so seems you have been very unlucky.

 

[BrianBaughn]

I would guess the percentage of all identity theft that FileVault currently prevents is probably somewhere in the 0.00001% range and that if every Mac user turned it on that number would probably be something like 0.000010001%.

If Grandma has FV on, gets a fake "security warning" popup in Safari, calls "Ray" from "Apple Security Services", lets "Ray" share her screen…well what good is it then?

However, I believe that Apple itself should be providing users with a way to make encryptable, bootable quick backups and that we shouldn't have ever been reliant on third-party software for this.

I also think that the percentage of Mac laptop users that ever carried their backups with them has to be pretty low.

 

[HDFan]

I would guess the percentage of all identity theft that FileVault currently prevents is probably somewhere in the 0.00001% range and that if every Mac user turned it on that number would probably be something like 0.000010001%.

I've never read a story about Identity Theft occurring with a personal stolen laptop, although I'm sure it has occurred.

The cases I've read about have been when a laptop with business data (including yours) on it has been lost and that data is breeched compromising your records. The vast majority of cases have been with website exploits.

Certainly with a laptop if you have sensitive data, such as a doctors' patient medical records, it should be encrypted. I just don't see encryption as decreasing your odds of identity theft that much.

 

[svenmany]

I've never read a story about Identity Theft occurring with a personal stolen laptop, although I'm sure it has occurred.

The cases I've read about have been when a laptop with business data (including yours) on it has been lost and that data is breeched compromising your records. The vast majority of cases have been with website exploits.

Certainly with a laptop if you have sensitive data, such as a doctors' patient medical records, it should be encrypted. I just don't see encryption as decreasing your odds of identity theft that much.

Those thousands of stories never made the news.

I guess you can give https://www.consumeraffairs.com/finance/identity-theft-statistics.html a quick read to see if your opinion changes.

Imagine you have an unencrypted external disk with personal and/or business data on it. Would you sell it without wiping it? If the answer is no then I'd encourage you to think about how you would feel if such a disk was stolen.

 

[chabig]

I updated to macOS 12.3 today and as I suspected, CCC updated my clone to an encrypted external drive just fine, as it always has.

 

[tjktony]

I updated to macOS 12.3 today and as I suspected, CCC updated my clone to an encrypted external drive just fine, as it always has.

I wonder if it's just updating the Data volume and not the System. Would you mind checking by booting to it and looking in About This Mac to see if it's 12.3?

 

[chabig]

I wonder if it's just updating the Data volume and not the System. Would you mind checking by booting to it and looking in About This Mac to see if it's 12.3?

There is no system volume. It's a data backup. Apple is deprecating the ability to create bootable backups on M1 machines because they are not needed. The system volume is sealed and cannot become corrupted. And backing that up, there are two other bootable systems on the SSD–Recovery and Fallback Recovery.

The OP thought that backups had to be bootable to be encrypted. They do not. Apple is not deprecating is the ability to make encrypted backups.

 

[0286338]

What Apple have done is removed the option to create 3rd party Bootable backups.

Several people have said this, but I'd like to know why this is the case, if anyone knows? A bootable external clone drive has been a Godsend to me many times over the years, I would like to continue having that functionality and I know there are quite a few others who feel the same way. What is the difference between using Disk Utility to encrypt a drive as APFS Encrypted, versus hitting the button to turn Filevault on, from a security perspective? None? Do they do the exact same thing?

Nothing I have on my drives is THAT "interesting" to anyone.

I have lost count of how many times I have heard people say this. Without asserting this is the case in this instance, in my experience it is always said by people who just can't be bothered to worry and dont know just how much data they actually do have at risk. It doesn't matter if you dont store your life on your machine, I know someone who's life was turned upside down and inside out by a virtually disposable laptop he 'just used for occasional browsing' was stolen from his car. Turns out, 'occasional browsing' included checking his bank balance (bank logins), placed bets at online bookmakers, updated his social profiles etc. For MONTHS his life was ruined while he tried to prevent filthy images being uploaded to all sorts of platforms he had joined (Tumblr and similar). Then came his email contacts (he used yahoo, oops) who got bombarded with crap, including his elderly parents and younger ones too, oops.

These days just using the web reveals a lot about a person. It should be a choice to encrypt or not to, but I would strongly advise anyone who 'thinks' they don't 'need' it, to think again and if in doubt, just go for encryption rather than going the other way. One way has huge potential costs, one has the cost of printing a password off a few times and placing in a relatives house, stuck under your bedside lamp, or whatever else you choose! Then you can relax, and enjoy peace of mind! Do you close your curtains when it gets dark outside? Why? What have you got to hide? :-D

(Answer = You DO actually enjoy your right to privacy, you dont wait until someone's face is against the window to close the curtains, do you? So dont wait until your life is turned upside down by a hack, to turn on simple encryption! That's my advice anyway, fwiw.)

 

[chabig]

Several people have said this, but I'd like to know why this is the case, if anyone knows? A bootable external clone drive has been a Godsend to me many times over the years

If the concern is being able to restore data, there is no benefit to booting from the backup. Just mount it and restore the desired data. Apple is increasing machine and data security by controlling the boot process tightly, so that it is impossible for the system volume to be modified. Therefore it can’t become corrupted.

 

[chabig]

What is the difference between using Disk Utility to encrypt a drive as APFS Encrypted, versus hitting the button to turn Filevault on, from a security perspective? None? Do they do the exact same thing?

It’s is the same encryption. Turning FileVault on simply associates your login credentials with the encryption key, so they are required to decrypt the drive.