I just read the mac page about SSD encryption by the T2 chip here
Always back up your content to a secure external drive or other secure backup location so that you can restore it, if necessary. You should also turn on FileVault for additional security, because without FileVault enabled, your encrypted SSDs automatically mount and decrypt when connected to your Mac.
I am confused. Isn't encryption only useful when it does not automatically decrypt? This seems rather useless. I guess it prevents certain kinds of attacks: someone steals the SSD from the device using advanced techniques without stealing the whole laptop. In this case, doesn't it just make sense to take the whole laptop?
What is the purpose of the encryption provided by the T2 chip? I know the benefits of FileVault 2 though, which also makes use of the T2 chip. However, to decrypt this FileVault you need your user password. To decrypt the initial T2 encryption, you need nothing?
Best Answer
If you examine it at a glance it definitely looks useless - but if you look closer at the details, there are actually benefits to be had here:
First the case of the SSD being separated from the laptop is not as far fetched as you seem to indicate. I wouldn't be thinking of a scenario of a foreign intelligence breaking in and removing the SSD from your laptop without a trace of anything happening. Rather think of some day in the future where you hand in your laptop for repairs to have a bigger disk installed, or to have it replaced due to bad blocks [1].
You get your laptop back with a shiny new disk, but you have some certainty that the old disk isn't readable anymore as you've still got your T2 with the key. Similarly if you scrap your laptop, you can scrap the disk and the T2 separately and be reasonable sure that the disk cannot be read [2].
However, the main practical benefits comes by providing quicker responses to the average user. When you buy a new laptop and want to encrypt your drive, that can be done in the blink of the eye with this system, as the drive is already encrypted - you just need to protect the key with the user passphrase. This I assume would make more users encrypt their drives, as some could be put off by having to wait hours or days for the drive to encrypt (even though they can keep using the computer while it does so).
Similarly you can safely erase the drive in the blink of an eye. Just ask the T2 to erase the key, and you (and others) no longer have access to the contents on the drive. If the drive hadn't been encrypted in the first place - it is actually very difficult, if not almost impossible, to securely erase it. This can now be done even when the user has never activated FileVault.
[1]As far as I know it is not possible to upgrade your disk currently, but it might be made possibly by third-parties in the future.
[2]I.e. breaking the main-board PCB into two pieces. It is relatively easy as the SSD and the T2 are separated by a narrow piece of PCB.