I have a new MacBook Air 2020 running Catalina 10.15.6 and I'm asking about the encryption on the internal SSD. When I run diskutil apfs list it shows that both the "Macintosh HD" and "Macintosh HD – Data" volumes have the following:
FileVault: No (Encrypted at rest)
What does this mean? If these drives are already encrypted at rest, should I, or do I need to, turn on Filevault to protect the data on them in case my MacBook is stolen?
Best Answer
It means that the SSD is encrypted by the built-in T2 chip. On newer Macs encryption is always enabled and handled by the T2 chip.
This means that the disk is encrypted when at rest, essentially meaning when the computer is powered off and/or the disk drive is removed from the computer. However as soon as someone turns on the computer, the T2 will supply the necessary key and make the drive contents available.
You will most probably want to enable FileVault. This ensures that your drive cannot be decrypted simply by powering on the computer, but will require your secret password.