Secure Boot security question

I have read the Apple Support document about using Secure Boot with a Mac that has a T2 security chip.

What I don’t understand is, what risk do I run if I check Medium Security?

Unlike Full Security, that option seems to have the advantage of allowing me to boot from an external drive without necessarily being connected to a network (which could happen in an emergency).

I just don’t want to get myself locked out of the computer if the internal drive fails.

Thank you,


As always, it’s a balancing act between protecting yourself from disclosure vs protecting yourself from data loss.

I think the security you lose with Medium over Full is that it could let a bad actor (the ‘evil maid’) boot the machine while you’re away from it and hack at the firmware or try to find a password to mount the SSD and get the data or install malware. If you aren’t at risk from nation state targeting, it’s currently an unlikely scenario. But if you’re a journalist, live in an unsettled country, organize protests, it might be a good idea to lock it down completely. Also separate out your most private stuff onto the most secure computer/device you have, and do normal things with more normal hardware.

I put my new mini on External Boot and No Security, because I’ll be using Mojave, not Catalina; once Mojave gets old enough for it to not be current and the certificate expires, it would be a problem. I’d also be toast if I had to recover from the network because of my slow connection. No Security compared to Medium gives me the most options for recovery when (it’s never just if) there’s a problem. At least for now, It’s going to be mostly for photography and apps that require at least Mojave to run, so I really don’t need to be paranoid of anything except loss of data or use of the computer.

1 Like