Based on what the T2 chip, on user log in, decrypts a SSD with FileVault enabled? Bypassing the user password will result in a possible decryption of the SSD? As several years ago there where tools that bypassed the user password.
Around the web I have found:
Turn on FileVault, however, and a T2-equipped Mac engages in the same boot behavior as one that handles disk encryption in software. Instead of loading macOS directly, the Recovery partition boots in a special mode that requires entry of the password of any account allowed to use FileVault. Until that password is entered, the disk’s contents remain encrypted just as if it were at rest.
From this we can understand that logging into your mac user – an user that is approved by the T2 to unlock the drive on which FileVault is enabled – is enough to decrypt the drive. From this the question, bypassing the user password using some sort of tool will decrypt the drive?
I am curious because prior to the T2, depending on your configuration you could end with two password requests at log in:
- One for the user
- One to decrypt the drive
That seemed a much stronger and secure approach.
Best Answer
No, it is not enough to simply bypass the user password prompt. That's not how it works, and it is not a less secure or less strong approach than earlier - actually it is an improvement.
The way the T2 chip works is by always encrypting the contents of the SSD. This happens no matter if FileVault is enabled or not. If File Vault is not enabled, no password is necessary to decrypt the SSD, as you would expect.
However when the user enables File Vault, the keys for decrypting the SSD are encrypted with a key based in part on the user's password. This means that the T2 can no longer decrypt the SSD on its own when booted. No matter how much "trickery" you use to bypass password prompts, it won't work, as it doesn't have the key necessary to decrypt.
As soon as the user enters his password (or a recovery key) - the T2 has the necessary information to derive the full decryption key and can thus decrypt the contents of the drive.
Note: The above is grossly simplified explanation of how FileVault and the T2 works, but is representative of how it is perceived by users.