Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

How secure is replaceable Apple's SSD on newer Macs?

yellowhelicopter

yellowhelicopter

macrumors regular
Original poster
Jun 5, 2020
228
154
So, they moved from soldered to replaceable internal SSD at least on the Mac Mini M4 machines. I'm wondering how secure the contents of SSD is now? I mean before (on Mac Mini M1) I chose to not enable FileVault coz SSD contents were protected by user's login password and it simply could not be removed to manipulate with. Should I now? Has it become less safe? Can it be connected to other machine (PC f.e.) and read somehow if it's not "FileVaulted"?
 
  • Like
Reactions: gilby101

Root Cryptographic Keys​

The Secure Enclave includes a unique ID (UID) root cryptographic key. The UID is unique to each individual device and isn’t related to any other identifier on the device.

A randomly generated UID is fused into the SoC at manufacturing time. Starting with A9 SoCs, the UID is generated by the Secure Enclave TRNG during manufacturing and written to the fuses using a software process that runs entirely in the Secure Enclave. This process protects the UID from being visible outside the device during manufacturing and therefore isn’t available for access or storage by Apple or any of its suppliers.

sepOS uses the UID to protect device-specific secrets. The UID allows data to be cryptographically tied to a particular device. For example, the key hierarchy protecting the file system includes the UID, so if the internal SSD storage is physically moved from one device to another, the files are inaccessible. Other protected device-specific secrets include Optic ID, Face ID, or Touch ID data. On a Mac, only fully internal storage linked to the AES engine receives this level of encryption. For example, neither external storage devices connected over USB nor PCIe-based storage added to the 2019 Mac Pro are encrypted in this fashion.
Click to expand...

Secure Enclave

The Secure Enclave is a dedicated secure subsystem in the latest versions of iPhone, iPad, Mac, Apple TV, Apple Watch, Apple Vision Pro, and HomePod.
support.apple.com support.apple.com

The UID is a 256-bit key. Basically, in practically, unbreakable.*

However, if you want some of the math:

security.stackexchange.com

Calculate time taken to break AES key

A 256 bit AES key is required to be broken using the brute force method on a 2GHz computer. How long would it take to break the key in the best case and in the worst case situations? Assume that 1000
security.stackexchange.com security.stackexchange.com

* https://forums.macrumors.com/threads/m4-and-gofetch.2439351/
 
  • Like
Reactions: yellowhelicopter
Just as secure as soldered-on stuff. The encryption is handled by the controller, which is part of the SoC, so removing the SSD gives you the same encrypted blob of NAND as would desoldering an SSD on a Mac laptop.
 
  • Like
Reactions: Happy_John and yellowhelicopter
yellowhelicopter said:
Should I now? Has it become less safe? Can it be connected to other machine (PC f.e.) and read somehow if it's not "FileVaulted"?
Click to expand...
data on modern Macs are encrypted regardless if file vault is enabled or not. There is no decrease in security on storage nands that are not soldered on. Additionally, Apple has protections in that you can't just plop a used storage nand into another mac, it won't boot or work, even if you have your sign on credentials.
 
  • Like
Reactions: yellowhelicopter
PowerPC74 said:
Do the new MacBook Pro's also have slotted SSD? Are they NVME, something else?

That's the main limit of my M2 MacBook Pro is the internal storage.
Click to expand...
None of the current MacBook Pros have replaceable storage. The computers that do (Mac mini, Mac Studio, Mac Pro) do not use standard SSDs, either.
 
chrfr said:
None of the current MacBook Pros have replaceable storage. The computers that do (Mac mini, Mac Studio, Mac Pro) do not use standard SSDs, either.
Click to expand...
So it's no NVME, it's keyed some other way, but Apple mentions 3rd parties so we can assume the pinout is open and 3rd parties will be able to offer them?

They get married to the Mac via UUID when you install them?

I assume you need Apple Configurator and another Mac to marry the drives and format an install the bridgeOS and macOS?

Do we know?
 
According to my sources Apple pre-ships it upgrade kit with It contains Apple-specific controller firmware and a unique ID.

Apple Configurator uses the UID to marry the drives to the Secure Enclave.

So you'd need to reverse these too for 3rd party upgrades. Never likely to happen, and if anyone did it they could not sell it with Apple issuing a DMCA cease and desist.

So yeah, they are upgradable, from Apple at Apple's price.
 
PowerPC74 said:
So it's no NVME, it's keyed some other way, but Apple mentions 3rd parties so we can assume the pinout is open and 3rd parties will be able to offer them?

They get married to the Mac via UUID when you install them?

I assume you need Apple Configurator and another Mac to marry the drives and format an install the bridgeOS and macOS?

Do we know?
Click to expand...
Yes, you have to restore the computer using Configurator. Apple doesn't publish any data, nor even mention the possibility, on using the slots for 3rd party disk upgrades but there are people who are selling them for the M4 mini. There will never be a way to use NVMe drives in these slots because the Apple Silicon Macs have disk controllers built into the system, not on the disk, the way an NVMe drive has.
 
PowerPC74 said:
So it's no NVME
Click to expand...
I've heard they are remarkably close to standard NVME cards, but minus the controller hardware, which is part of the SoC in a Mac. So just the NAND chips themselves + power circuitry. No idea if the pin signaling is any different too—probably, just to create another barrier.

As others have mentioned, the data is encrypted whether or not FileVault is enabled, and you can't swap the cards between machines.
 
PowerPC74 said:
So it's no NVME, it's keyed some other way,
Click to expand...
Its more then just "keyed" NVME storage has various components built on to the module, including the flash nand, controller, firmware, interface circuitry, etc.

For macs, the controller, interface logic circuity (and I think firmware) are built into the Soc. For the Studio and Mini, the flash nands are on removable modules. For the laptops and iMac, the flash nands are soldered onto the logic board.

There are companies that sell these modules, mostly from Ali Express, and you can upgrade the storage of you mini and studio. Its not sanctioned by apple, and if you damage your mac, you're SOL. Also you will need a second mac to boot into DFU mode and flash the chips (I think that's what its called), and then you can install macos and restore your backed up system.
 
My take on encryption and data security…

If it’s a bad actor and your data is valuable enough… torture methods and gun to the head until you release / give access.

If it’s a government (potentially a bad actor one), lock you up or threaten legal action until you release / give access.

The tech is rarely not secure enough. It’s all the surrounding humans as usual
 
PowerPC74 said:

Install or replace SSD modules in your Mac Pro (2023) - Apple Support

Learn how to install SSD modules in your Mac Pro and how to use Apple Configurator to set them up for your Mac.
support.apple.com support.apple.com

Seems to be some hope we can use an adapter to install standard NVME SSD's but I don't think we know the pinout or if it may work.
Click to expand...
No. The storage module in these Macs, mini and studio, is a NAND package with no controller whatsoever, it’s simply raw storage capacity, with the controller on the SoC. The storage module isn’t an SSD in the way you think of NVMe as an SSD. In this way, it’s not much different to NAND chips soldered directly into the mainbiard, as in MacBook Airs and Pros.

Yes, I know I’m really just saying what others have already said, so apologies to them fir the redundancy.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back