Shirt Pocket Discussions

Shirt Pocket Discussions (https://www.shirt-pocket.com/forums/index.php)
-   General (https://www.shirt-pocket.com/forums/forumdisplay.php?f=6)
-   -   APFS Encrypted recommended for new MBAir? (https://www.shirt-pocket.com/forums/showthread.php?t=7196)

Brad 11-23-2019 12:58 AM

APFS Encrypted recommended for new MBAir?
 
Hi Dave ~

Wondering if you personally use APFS, in particular APFS Encrypted, on new Apple SSDs?

Just got a new 2019 MBAir with a 1 TB SSD and staring at the Migration Assistant (just setting it up for the first time) and wanting to encrypt [edit: they call it FileVault of course], but having read the performance issues with APFS, particularly encryption, not sure what to do.

Recommendations?

Thank you kindly!
~ Brad

dnanian 11-23-2019 06:54 AM

T2 based Macs, like this one, are always storing their data to the SSD in an encrypted form. But the performance penalty for File Vault isn't bad: and if you find it objectionable you can always turn it off...

Brad 11-23-2019 10:04 AM

Great. Thanks for the reminder about the T2 chip. For completeness for future readers I found this white paper by Apple: https://www.apple.com/mac/docs/Apple...p_Overview.pdf

I do have one additional question based on a snippet from this white paper:

“External Boot policy

“External Boot policy controls whether a Mac can be booted from external 
 media. This policy is shown only on Mac computers with the T2 chip and is independent from the secure boot policy. Disabling secure boot doesn’t change the default behavior of disallowing boot from external drives.”

Do you advise (or is Apple implying) that booting from an external drive makes one’s backups less secure?

Thanks again!

dnanian 11-23-2019 10:49 AM

At an abstract level, your backup is inherently slightly less secure because it's not protected by hardware encryption like the T2 chip. And the ability to boot from external devices that aren't your backup enable some potential attacks (such as booby-trapped thumbdrives), which is why they are defaulting to "off".

But in general terms, those vulnerabilities are outliers, whereas actual drive failure is not. You're far better off being able to easily recover from a failure than protecting yourself from a thumbdrive that you picked up off the floor at a tradeshow in China...because protecting yourself from the latter requires a minimum of thought, whereas the former can only be protected against through direct action: backing up.


All times are GMT -4. The time now is 05:02 PM.

Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2021, vBulletin Solutions, Inc.