2018-12-11 - Related: I worked in encryption for years as an engineer, so I’m not a stranger to it. All these years have avoided Apple FileVault because of the performance hit. But with the T2 chip in newer Macs such as the Mac mini I am currently testing doing the encryption in real time (no performance hit), I thought I would try it. See the details of enabling FileVault further below as well as reader comments. Nerd discussion After fully configuring the and running a variety of tests (results coming soon), I turned on FileVault. If FileVault actually encrypts data, I would expect disk I/O reads and writes to occur at maximum speed until the entire 1TB internal SSD is encrypted (or at least the 505GB of data on it). But instead I see no disk I/O at all. AVI: Beginning with Photoshop CC 2019 v20.0, this format is no longer supported for import on Mac. It is supported on Windows only. SWF playability: Beginning with Photoshop CC 2019 v20.0, SWF playability using File > Open As (video) option is no longer supported on both Mac and Windows. SWF files won't play in Photoshop. Rebooting, I see no disk I/O either. In other words, FileVault cannot possibly be re-encrypting the data. In other words, all data was encrypted to start with, using a fixed key stored without itself being encrypted by any user-supplied password. Or it was never encrypted and still is not encrypted, but that alternative is too huge a bug to be credible, so I rule that out. The behavior I observe implies that turning on FileVault and supplying a password does nothing more than encrypt the encryption key already there using the user-supplied password (and presumably a random salt value or vice versa). Because if the data is already encrypted, the decryption key and/or salt value either must remain the same, or all the data must be decrypted and re-encrypted. Which suggests some level of security risk since that key already existed without the password protection of the user-supplied encryption password. I presume that the T2 secure enclave somehow forestalls this security risk, but I do not know the details. Maybe there is some per-chip specificity that forestalls a general security weakness. Even so, that assumes hardware invulnerability, which is not possible. Professional music creation studio for Macs. PROS: Great for compiling mixes, Allows you to publish mixes to the web, Good fun browsing and listening to other people's mixes. Best music mixing software for mac. The behaves the same way when enabling encryption, so presumably both Apple and Samsung have a similar approach in that the data is actually always encrypted. Update 13 Dec: reader Simon N writes: You might want to look into PDF Overview for details on how encryption works with the T2 chip. Pages 5 and following should answer your questions. MPG: works pretty much like my chain of deduction had—very well done, but also guaranteeing total data loss if anything goes wrong—see comments from Jeff H further below. Enabling File Vault Turn on (or off) FileVault in System Preferences => Security & Privacy => FileVault. FileVault recovery key Reader comments on File Vault Jeff H writes: I just read your blog post on FileVault on the 2018 Mac mini and wanted to share my horror story of FileVault on the 2018 Mac mini: Last night, I enabled FileVault on my Mac mini from within System Preferences. ![]() This morning, when I booted my Mac after shutting it down, I was prompted to enter my password to sign in, and it didn’t work! After a few incorrect tries, I was prompted to enter my Recovery Key, so I entered my carefully recorded Recovery Key, and that didn’t work either. So basically I am now completely locked out of my Mac, with no way to recover. Here’s the crazy thing: if I boot into Recovery Mode (holding cmd-R at boot time) and then try to launch Terminal from within Recovery Mode, I am prompted for my administrator password to open Terminal. If I enter my password there, it works! Menu bar app mac watch folders for google photos. So somehow the system installed in Recovery Mode has my correct password, but BridgeOS or EFI or whatever controls the early boot process for volumes with FileVault enabled is borked, so now I am permanently locked out and I’m going to have to restore my entire Mac.:-( So be very careful with FileVault on the 2018 Mac mini.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |