A friend of mine got her first Mac, a MacBook Neo. It is my first hands-on experience with Apple Silicon Macs.
I set it up and enabled FileVault. But compared to my Intel iMac, I found the boot sequence perplexing. My iMac prompts for my password before any progress bar shows.
But this Mac shows a progress bar against a black Apple logo screen, then prompts for her account password, after which there is another progress bar (much faster) against the backdrop of normal wallpaper.
Has the timing of the password prompt changed as compared to Intel Macs? Is it now normal to see two progress bars when booting?
Or is this a peculiarity of the Neo and its A-series processor, with M-series Macs behaving differently?
From what you’re seeing, macOS on the Neo is behaving the same as it does on any other Apple Silicon Mac.
Part of what you’re seeing is due to how FileVault works on those Macs. The account password prompt after the first progress bar is asking to unlock the boot disk at a certain point in the boot sequence. The second progress bar represents the part of the boot process after the disk has been unlocked.
Like other Macs when FileVault is enabled, specifying the user/password to unlock a disk will also automatically sign in as that user once the second progress bar completes.
A couple of related side notes on Apple Silicon and T2 equipped Macs.
FileVault works differently between Intel Macs with T2 chips/Apple Silicon Macs and Intel Macs that don’t have the T2 chip.
For T2 equipped or Apple Silicon Macs, the SSD is always encrypted at rest. It’s done in hardware (the T2 chip or Apple Silicon’s integrated SSD controller). No host CPU involved.
So where’s the key for the encryption? By default, macOS self generates a encryption key for that SSD’s volumes. This key is kept in the secure enclave of these Macs and is read and applied by during the boot “firmware” if you aren’t using FileVault.
So how does FileVault play into this? When you enable FileVault on T2/Apple Silicon Macs, that encryption key gets an additional layer of encryption using credentials of the users that are allowed to log into the Mac. This encrypted key is still stored in the secure enclave, but is worthless to unlock the contents of the SSD without inputting credentials to decrypt the key. (or using the FileVault recovery key).
Since all that’s being encrypted is a encryption key, the process to enable FIleVault is fast. No “re-encryption” of the disk is necessary.
For Intel Macs without T2 chips, disks are unencrypted at rest by default. You enable FileVault if you want encryption - which is performed by the Mac’s CPU.
After enabling FileVault the entire disk must be encrypted. Every used data block will need to be read, encrypted, then written back out to disk. This process (thankfully) can occur while you’re using the Mac and can be interrupted, It won’t be considered complete (and all your data protected) until all the existing data has been encrypted. A large HDD/SSD can take a while to fully encrypt because of this.
Thank you, @Technogeezer and @enclydion, for the wealth of information. It seems that what I was seeing is perfectly normal, and now I even know why that’s the case, not to mention why Apple Silicon Macs are unable to boot at all when the internal SSD fails.
