MacOS – Does FileVault encrypt the disk instantly

encryptionfilevaultmacos

I have recently found that FileVault is disabled on my machine. Although I remember that I set "encrypt" option when I was setting the machine up.

I opened System Preferences and enabled FileVault. To my surprise it didn't take any time. I didn't have to wait while the data is encrypted. It just got instantly enabled.

My configuration: MacBook Air 2018, 256Gb SSD, macOS Mojave 10.14.1

I understood that the disk is not encrypted because I was able to access the content from my home directory from a guest session.

How does it possible that turning on FileVault doesn't take any time?

Best Answer

You have a new Mac with an SSD and T2 chip so all data on it is encrypted always. Any election you make in FileVault just adds and removes user keys from the trust chain so that happens basically instantly. However, when a FileVault credentialed user isn’t created, the system unlocks itself so the encryption door is always wide open.

The next time you restart, the system will notice that the first per-user key is now active and change the boot process so that the system won't unlock that storage and start the OS until your key unlocks the storage. Keep in mind, FileVault by default on APFS is all or nothing. When you unlock the storage, any account can read any files it has permission and you need your password to keep other users (guests) off your files and session.

You can inspect this by looking at diskutil apfs list to examine each APFS containers and synthesized volume encryption and lock status.

mac:~ me$ diskutil list
/dev/disk0 (internal):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                         251.0 GB   disk0
   1:                        EFI EFI                     314.6 MB   disk0s1
   2:                 Apple_APFS Container disk1         250.0 GB   disk0s2

/dev/disk1 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +250.0 GB   disk1
                                 Physical Store disk0s2
   1:                APFS Volume Mac                     191.7 GB   disk1s1
   2:                APFS Volume Preboot                 65.4 MB    disk1s2
   3:                APFS Volume Recovery                1.0 GB     disk1s3
   4:                APFS Volume VM                      3.2 GB     disk1s4

Be sure to restart your machine and test the guest session scenario again. Only a full “Guest account” that’s set up in user preferences will keep your data marginally protected when you have an unlocked / unencrypted synthesized Macintosh HD boot / OS / user volume.

Related Question