FileVault and Backing up-potential considerations

TidBITS Talk
1

All,
Hoping this community can answer some lingering questions I have about enabling FileVault encryption in Settings. I have multiple backups of my data, external and in the Cloud, using Backblaze.

I have been reluctant to use FileVault, though I understand it is now very reliable and almost universally recommended. My hesitation has been a concern about the impact of FileVault on the data in my back ups.

  1. Will my external back ups back up an encrypted copy of my files/data or my native files/data? In other words, if I need to restore from an external backup, will there be any issues?

  2. Once I turn on FileVault and encrypt my hard drive, should I be concerned at all about being able to access all my materials later? I am not concerned about using a password and having a security key; I use 1Password and in 1Password I trust.

  3. If FileVault is encrypted and my backups are encrypted copies of the FileVault, what happens in a scenario where my hard drive fails and I need to restore all my data? Assume I have access to my encryption key in 1 Password on another device.

  4. Is there any downside to turning on FileVault encryption; if so, what are the considerations?

Many thanks.

GM Shapiro

1 Like
2

FYI - Unless you have made your backup drives encrypted, they will not be encrypted.
If you want your backups to be encrypted according to your security vulnerability assessment, you need to make sure you have taken the steps to make your backups encrypted. See instructions for Carbon Copy Cloner (CCC) or whatever you use for backups.
You can encrypt your backup drives after creating them. (That’s what CCC recommends.) It takes a long time, however.

1 Like
3

  1. FileVault is full disk encryption at a layer below the file system and above the physical volume. While your Mac is running, FileVault has unlocked the drive. Each block read in the file system is decrypted before it’s returned to the operating system and user requesting it. The reverse happens on writes, a block written to the file system written is encrypted before the data is written to the volume. Note that since the encryption happens at a layer below the file system, all file system metadata and internal structures are encrypted as well.

    When the operating system is not running and the volume is locked anything trying to read the disk directly will see encrypted data. Without the encryption key even if you know the encryption algorithm, the data is useless.

  2. No. As long as you have FileVault configured for unlocking your disk with an “authorized” user at boot (for boot disks) or remembering the password to unlock an external disk that you enable FileVault on, you will be able to access all of your materials. Any backup you have is of the unencrypted data, so you’re safe there as well.

  3. Data read by your backup utility is unencrypted. However if the backup utility encrypts it as it sends it to its destination (e.g. a backup disk or “the cloud”), you will need to keep track of the key the utility is using to protect your data. As long as you have that key, you can restore your data through that utility to any computer that has the backup application.

  4. Note that T2 equipped Macs and Apple Silicon Macs automatically encrypt the SSD, and stores the key in the Secure Enclave. Think of it as “hardware” based encryption. FileVault on those machines encrypts the “hardware” encryption key as it stores it in the Secure Enclave. The process of unlocking the Mac for access at boot is really only decrypting that SSD encryption key. Because of this, boot disk encryption is pretty much the same regardless of if you enable FileVault or not.

    On Intel Macs without T2 chips, FileVault encryption is handled by the CPU using specialized Intel hardware encryption instructions. It’s faster than a software-only solution, but not as fast as T2 or Apple Silicon Macs.

6 Likes
4

Thanks for the great insights. As a result I have implemented FileVault encryption on all my Macs. I very much appreciate the time you took to respond to my questions.
Much appreciated.

GM Shapiro