Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Guitar_t-bone

macrumors newbie
Original poster
Sep 25, 2017
17
11
I installed MacOS High Sierra today. As I was browsing the net, I read that APFS has "native encryption". Does this mean that FileVault is just a redundancy now?

If I disable FileVault will my data still remain encrypted or has FileVault been converted to basically an on/off switch for the APFS native encryption?
 

Naaaaak

macrumors 6502a
Mar 26, 2010
637
2,068
I am also concerned from a performance perspective. According to this, APFS is significantly slower:

Code:
Speed in MB/s:
           HFS+     HFS+ Encrypted    APFS     APFS Encrypted
1M WRITE   1375     1373              1372     933
1M READ    2446     2340              2162     1304
4K WRITE   852      797               502      378
4K READ    2106     1486              2156     1001


EDIT: Beta benchmarks.
 
Last edited:

Guitar_t-bone

macrumors newbie
Original poster
Sep 25, 2017
17
11
That's.... That's incredibly disturbing....
[doublepost=1506390901][/doublepost]Then again though... If you look at this video (it's in German, but you can still see the relevant comparisons by reading what's on the guy's screen) it shows improvements in all areas.
Also what you posted could be inaccurate since that was from beta. Apple has made performance changes in the last two months since that.
 
Last edited:

Guitar_t-bone

macrumors newbie
Original poster
Sep 25, 2017
17
11
UPDATE: I also posted this question on Reddit. I seem to have found a legitimate answer from there. I copy/pasted it below for those who are still following this thread.



youngermann 35 minutes ago
I am pretty sure APFS(Encrypted) == FileVault Encryption
I did not choose APFS Encrypted option when I format my boot drive for HS install. I formatted it to just APFS.
When the FileVault option screen comes up. I chose to turn on encryption. After the install, Disk Utility shows the boot volume now as APFS(Encrypted).

------------------------

cbackas42 27 minutes ago
This is correct. "FileVault" is essentially the marketing name for encrypting the boot volume.

------------------------

Guitar_t-bone[S] 19 minutes ago

Thank you very much for the clarification.

Though, I do wonder. Given the fact that both HFS+ and APFS utilize FileVault, what is the difference between the acclaimed APFS "native encryption" and HFS+ "non-native encryption"?

------------------------

cbackas42 14 minutes ago

HFS+ does not support encryption. In order to accomplish it, a whole new layer called "CoreStorage" was created. CoreStorage can be encrypted, and HFS+ can live inside CoreStorage. CS is sort of a giant hack to graft new capabilities onto an old OS. Using CS Encryption on your boot drive is called "FileVault", but you can certainly CS Encrypt pretty much any drive you want - it's the same encryption.

APFS supports intrinsically. I'm not sure if it's "stronger" encryption than was CS used or not, but it's certainly more flexible. We aren't seeing the full extent of what it can do just yet (things like per-file encryption) - maybe in future releases. But it's the same situation, it's called 'FileVault' when applied to your boot volume, but you CAN encrypt any volume and it's the same encryption.

They're just using FileVault as a blanket term so that end users have an idea of what they're getting without having to understand the confusing situation underneath.
 

SRLMJ23

macrumors 68020
Jul 11, 2008
2,302
1,411
Central New York
UPDATE: I also posted this question on Reddit. I seem to have found a legitimate answer from there. I copy/pasted it below for those who are still following this thread.



youngermann 35 minutes ago
I am pretty sure APFS(Encrypted) == FileVault Encryption
I did not choose APFS Encrypted option when I format my boot drive for HS install. I formatted it to just APFS.
When the FileVault option screen comes up. I chose to turn on encryption. After the install, Disk Utility shows the boot volume now as APFS(Encrypted).

------------------------

cbackas42 27 minutes ago
This is correct. "FileVault" is essentially the marketing name for encrypting the boot volume.

------------------------

Guitar_t-bone[S] 19 minutes ago

Thank you very much for the clarification.

Though, I do wonder. Given the fact that both HFS+ and APFS utilize FileVault, what is the difference between the acclaimed APFS "native encryption" and HFS+ "non-native encryption"?

------------------------

cbackas42 14 minutes ago

HFS+ does not support encryption. In order to accomplish it, a whole new layer called "CoreStorage" was created. CoreStorage can be encrypted, and HFS+ can live inside CoreStorage. CS is sort of a giant hack to graft new capabilities onto an old OS. Using CS Encryption on your boot drive is called "FileVault", but you can certainly CS Encrypt pretty much any drive you want - it's the same encryption.

APFS supports intrinsically. I'm not sure if it's "stronger" encryption than was CS used or not, but it's certainly more flexible. We aren't seeing the full extent of what it can do just yet (things like per-file encryption) - maybe in future releases. But it's the same situation, it's called 'FileVault' when applied to your boot volume, but you CAN encrypt any volume and it's the same encryption.

They're just using FileVault as a blanket term so that end users have an idea of what they're getting without having to understand the confusing situation underneath.

This seems correct because I did a clean install and chose APFS (Encrypted) and when the install was done, I checked to see if I could enable FileVault or not, and it was ALREADY enabled. So APFS (Encrypted) is just APFS with FileVault enabled during installation. At least that is how I see it.

Thank you for finding this for us that had this question though!

:apple:
 
  • Like
Reactions: Guitar_t-bone

Guitar_t-bone

macrumors newbie
Original poster
Sep 25, 2017
17
11
I'll be honest. I, being only a moderately tech savvy person, was under the interpretation that "native encryption" meant everything was just encrypted to begin with. I will preface by stating that I did not use FileVault to encrypt my data in previous macOS and OS X versions.

When I installed High Sierra today, it prompted me to set an encryption password as well as sign into iCloud in case I need to recover my encrypted drive. Thinking nothing of it, I put in the info. Then I noticed that FileVault was beginning to encrypt my drive. I started getting confused since I didn't understand what native encryption was. I was thinking it was encrypting an already encrypted volume. Obviously, that sounded like a really bad idea, so I sought clarification.

I'm glad to see I'm not the only person that didn't quite understand what was going on.
 

gmanist1000

macrumors 68030
Sep 22, 2009
2,832
824
FireVault is just a GUI. The name is throwing people off, but it's the newest version of APFS's native encryption.

From ArsTechnica: "FileVault in High Sierra isn’t technically full-disk encryption; it merely encrypts the parts of the disk that are actively being used. Other disk encryption systems (including Microsoft’s BitLocker) offer this kind of encryption but also let you go ahead and encrypt all free space on the volume, too, if you want. Apple doesn’t let you choose, and it doesn’t even tell you there’s a difference."
 
  • Like
Reactions: djcristi

Mike Boreham

macrumors 68040
Aug 10, 2006
3,683
1,690
UK
UPDATE:

HFS+ does not support encryption. In order to accomplish it, a whole new layer called "CoreStorage" was created. CoreStorage can be encrypted, and HFS+ can live inside CoreStorage. CS is sort of a giant hack to graft new capabilities onto an old OS. Using CS Encryption on your boot drive is called "FileVault", but you can certainly CS Encrypt pretty much any drive you want - it's the same encryption.

APFS supports intrinsically. I'm not sure if it's "stronger" encryption than was CS used or not, but it's certainly more flexible. We aren't seeing the full extent of what it can do just yet (things like per-file encryption) - maybe in future releases. But it's the same situation, it's called 'FileVault' when applied to your boot volume, but you CAN encrypt any volume and it's the same encryption.

They're just using FileVault as a blanket term so that end users have an idea of what they're getting without having to understand the confusing situation underneath.

Good summary. I would just add that because APFS supports encryption, there is no reboot when you turn on Filevault. When you turn on Filevault on an HFS+ volume it has to reboot because of the conversion to CoreStorage.
 

yadmonkey

macrumors 65816
Aug 13, 2002
1,306
838
Western Spiral
I upgraded my unencrypted drive to High Sierra and APFS today, but see in DU that my boot drive is was not encrypted by default. Am I correct that I need to enable FileVault to get APFS encryption now? But doing so will NOT do the CoreStorage workaround, right?
 

Mike Boreham

macrumors 68040
Aug 10, 2006
3,683
1,690
UK
I upgraded my unencrypted drive to High Sierra and APFS today, but see in DU that my boot drive is was not encrypted by default. Am I correct that I need to enable FileVault to get APFS encryption now? But doing so will NOT do the CoreStorage workaround, right?

Correct on both question. You need to turn on FV and it will not convert to CoreStorage, hence no reboot required.
 

curmudgeonette

macrumors 6502a
Jan 28, 2016
586
496
California
Why would you want to encrypt something that simply says, "there is nothing here"?

Because there might have been something "there". In other words, that file of important data, which you simply deleted, is still on the drive until overwritten. Further, with an SSD, trying to overwrite before delete won't actually wipe out the data. Instead, the block will simply be added to the (end of the) queue of blocks into which to write fresh data.
 

Guitar_t-bone

macrumors newbie
Original poster
Sep 25, 2017
17
11
I am also concerned from a performance perspective. According to this, APFS is significantly slower:

Code:
Speed in MB/s:
           HFS+     HFS+ Encrypted    APFS     APFS Encrypted
1M WRITE   1375     1373              1372     933
1M READ    2446     2340              2162     1304
4K WRITE   852      797               502      378
4K READ    2106     1486              2156     1001


EDIT: Beta benchmarks.


So... I just finished encrypting my drive. It took all night.

Now I know benchmarks are supposed to be done on an empty drive etc. And this is by no means meant to be taken as gospel.

However just for the sake of preliminary, non-scientific info, going from HFS+ decrypted to APFS encrypted is as follows according to a simple Blackmagic Disk Speed Test on my Late 2013 MacBook Pro 15inch retina 512GB PCIe SSD:

HFS+ decrypted = 705MB/s write and 727.2MB/s Read

APFS encrypted = 684.2MB/s write and 707.7 Read

This comes down to about a 3% reduction in performance in both read and write.
 

TETENAL

macrumors regular
Nov 29, 2014
248
274
Because there might have been something "there". In other words, that file of important data, which you simply deleted, is still on the drive until overwritten. Further, with an SSD, trying to overwrite before delete won't actually wipe out the data. Instead, the block will simply be added to the (end of the) queue of blocks into which to write fresh data.
But the deleted file would still be encrypted "there", if you had encryption enabled before you deleted it.

Only files deleted before FileVault was enabled would linger unencryptedly in free space.
 

killawat

macrumors 68000
Sep 11, 2014
1,947
3,581
Why would you want to encrypt something that simply says, "there is nothing here"?

Also you may be able to infer certain things from the partition map. From a security standpoint, its better to say that all 500 GB of a given sample disk are encrypted rather than only 50 GB of 500 GB being in use, or 450 GB out of 500 GB being used. This can be used to assess, very loosely, how heavily used a machine is and for what purpose.
 
Last edited:

Apple_Robert

Contributor
Sep 21, 2012
34,288
49,530
In the middle of several books.
For those who updated to High Sierra, (or are thinking about it) and turned on FileVault but did not get a generated master key, you can generate a key for your current system password using the following terminal command.


sudo fdesetup changerecovery -personal
you will be promoted for current system password
enter password again
a new file vault generated key will be shown in terminal
 

macagain

macrumors 6502
Jan 1, 2002
350
117
So, I did a clean install after formatting the ssd as APFS encrypted. Filevault was automatically turned on. I turned off Filevault, and that caused it to decrypt the entire disk. After decryption, the disk then showed as plain APFS in disk utility.
 

Apple_Robert

Contributor
Sep 21, 2012
34,288
49,530
In the middle of several books.
My disk is APFS encrypted. I ran a few Black Magic tests. And the first results were slightly slower (especially the read). I left it going and after the 3rd test, the read / write speeds were back up to where they were before I upgraded to HS. Anecdotal I know but, just wanted to throw it out there. I am not really concerned about the slight hit. The stock Apple SSD is still much faster than anything else I have seen. I rather be protected than focus on benchmark tests.
 
  • Like
Reactions: djcristi

SRLMJ23

macrumors 68020
Jul 11, 2008
2,302
1,411
Central New York
For those who updated to High Sierra, (or are thinking about it) and turned on FileVault but did not get a generated master key, you can generate a key for your current system password using the following terminal command.


sudo fdesetup changerecovery -personal
you will be promoted for current system password
enter password again
a new file vault generated key will be shown in terminal

Thank you for this! I thought maybe I missed where it showed me the key, but now I know it never did show me a key. Did what you said to do and have my key now!

:apple:
 
  • Like
Reactions: Apple_Robert

Mike Boreham

macrumors 68040
Aug 10, 2006
3,683
1,690
UK
Thank you for this! I thought maybe I missed where it showed me the key, but now I know it never did show me a key. Did what you said to do and have my key now!

:apple:

It won't show a key if you chose the retrieve via iCloud account option. I suspect if you let it encrypt during the install it will use iCloud retrieval by default, and you don't get a choice,
 
  • Like
Reactions: SRLMJ23

thisMRguy

macrumors member
Jan 9, 2013
93
20
So... let me get this clear. After installing HS I can disable filevault which I presume is active by default as I installed HS over the previous OS?.

Im not looking to secure my data as such as I don't with this laptop, but having both forms of encryptions would be pointless and take a bigger hit in performance too?
 

SaSaSushi

macrumors 601
Aug 8, 2007
4,156
553
Takamatsu, Japan
So... let me get this clear. After installing HS I can disable filevault which I presume is active by default as I installed HS over the previous OS?.

Im not looking to secure my data as such as I don't with this laptop, but having both forms of encryptions would be pointless and take a bigger hit in performance too?

If you turn off Filevault, you turn off the encryption.
 
  • Like
Reactions: djcristi
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.