Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Instant Filevault encryption/decryption on 2018 MBP

J

jiangning

macrumors member
Original poster
Jan 29, 2010
48
18
I noticed my new 2018 MBP turned on Filevault by default. Out of curiosity, I turned it off and on again. Unlike previous experience, both processes were instant, no need to wait hours.

I'm a bit doubtful on whether Filevault is actually turned on given zero encryption time? Does the instant encryption has something to do with T2 chip?
 
sputnikBA

sputnikBA

macrumors 6502
Jan 2, 2018
301
402
The short answer is that it is the result of a combination of ultra fast SSD, some features of APFS designed around encryption, and that one of the functions of the T2 chip is handling encryption in the background instead of the main CPU doing it - so you don’t feel any performance penalty for encrypt/decrypt tasks.
 
  • Like
Reactions: afir93 and maflynn
poorcody

poorcody

macrumors 65816
Jul 23, 2013
1,338
1,584
Might find this support doc of interest:
https://support.apple.com/en-us/HT208344

What I find interesting from it is this line:
Though the SSD in computers that have the Apple T2 chip is encrypted, you should turn on FileVault so that your Mac requires a password to decrypt your data.
Click to expand...

From that I get the impression all SSDs with the T2 chip are automatically encrypted, so technically turning FileVault on or off does not really change the fact the drive is encrypted (it always is). Only reason to turn it on, apparently, is to activate a password.
 
Last edited:
  • Like
Reactions: adrianlondon
CrashTestWalrus

CrashTestWalrus

macrumors regular
Mar 1, 2018
126
53
I think the best way I have heard it described is that it operates like current iDevices do. The storage is always encrypted, if you set a passcode the main volume will not be decrypted until it is entered, so you are effectively keeping the OS from accessing the key, or keys really, that are stored in the Secure Enclave until you enter your passcode on your iDevice. The new MacBook Pro, and I believe the iMac Pro, operate the same. The drives are always encrypted, turning on FileVault just password protects the decryption key. No decryption will happen until the password is entered.

This too is probably oversimplification, my guess is that there are multiple parts of the drive that are encrypted in different ways. Much like the iDevices. Some parts are decrypted automatically, like the boot partition, other parts can be held up by not having entered the passcode. Either way, the FileVault on the 2018 MacBook Pro is happening instantly because the drives aren't being encrypted or decrypted. You are password protecting the decryption key, and removing that protection with the checkbox.
 
Weaselboy

Weaselboy

Moderator
Staff member
Jan 23, 2005
34,471
16,182
California
jiangning said:
I noticed my new 2018 MBP turned on Filevault by default. Out of curiosity, I turned it off and on again. Unlike previous experience, both processes were instant, no need to wait hours.

I'm a bit doubtful on whether Filevault is actually turned on given zero encryption time? Does the instant encryption has something to do with T2 chip?
Click to expand...
I noticed the same thing with mine when I turned on FV. I was waiting for a reboot and the long encryption process like I have seen on older MBPs... and it did not happen and was pretty much instant like you said.

I even turned FV off then back on just to test, and it did the same thing. If you run diskutil list and diskutil cs list in Terminal you can see that the volume is encrypted though, so it seems to be working.
 
Newtons Apple

Newtons Apple

Suspended
Mar 12, 2014
22,757
15,254
Jacksonville, Florida
Weaselboy said:
I noticed the same thing with mine when I turned on FV. I was waiting for a reboot and the long encryption process like I have seen on older MBPs... and it did not happen and was pretty much instant like you said.

I even turned FV off then back on just to test, and it did the same thing. If you run diskutil list and diskutil cs list in Terminal you can see that the volume is encrypted though, so it seems to be working.
Click to expand...

So it still takes a good bit of time but now does it in the background?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom