Secure Enclave, Mac SSD hardware encryption and the future of FileVault
The iMac Pro introduced a number of new features, but one that may have been little noticed is the introduction of hardware encryption for the iMac Pro’s SSD storage. Apple references the hardware encryption on the iMac Pro page this way:
T2 also makes iMac Pro even more secure, thanks to a Secure Enclave coprocessor that provides the foundation for new encrypted storage and secure boot capabilities. The data on your SSD is encrypted using dedicated AES hardware with no effect on the SSD’s performance, while keeping the Intel Xeon processor free for your compute tasks.
This hardware encryption means that, even if FileVault is not enabled, the data stored on the iMac Pro’s SSD storage is encrypted. What’s more, the key to unlock the encryption is stored in the iMac Pro’s Secure Enclave and never leaves the machine. Physically remove the SSD storage from the iMac Pro and you won’t be able to access any data stored on the SSD, even if you have an otherwise identical iMac Pro available.
For those with knowledge of how Apple protects data stored on iOS devices, this should sound familiar. The main difference between the iOS and macOS implementation at this point appears to be that macOS does not have the equivalent passcode lock screen.
Instead, the needed encryption key to unlock the hardware encryption is automatically provided by the Secure Enclave when the iMac Pro boots. This behavior is just like that seen on an iOS device where a passcode has not been enabled.
This is referenced when you run the following command on an iMac Pro:
diskutil apfs list
On an iMac Pro where FileVault is not enabled, FileVault is shown with the following status:
FileVault: No (Encrypted at rest)
This recognizes that encryption is available, but that the encryption only provides protection when the data is at rest. “Data at rest” in this context should be understood to mean when the Secure Enclave has not provided the needed encryption unlock key, which would be the case in either of the following scenarios:
- The iMac Pro is off.
- The SSD storage has been removed from the iMac Pro.
For more, please see below the jump.
So what does this hardware encryption mean for FileVault on Apple File System? Is it no longer needed? Will Apple be implementing a passcode lock, like they have on iOS? Will hardware encryption allow FileVault to be enabled in seconds, rather than hours?
I don’t have any inside knowledge, so treat what I’m about to say with the appropriate skepticism. It’s speculation, pure and simple.
That said, I don’t think that Apple will be mapping the iOS passcode experience directly onto macOS. The reason I say that is iOS’s encryption model incorporates an assumption that iOS is not a multi-user OS. That’s where FileVault encryption on Apple File System comes in. It provides the following:
- The ability to support multiple user accounts.
- An additional encryption layer, providing even more protection for the data stored on the iMac Pro’s SSD storage.
Because of this, I see FileVault on Apple File System staying around for at least the next version of macOS while Apple works out the necessary support for providing an instant-on encryption solution like on iOS, while being able to provide the multiple-user support needed on macOS.
That said, I believe that this transition will be a short one of only one to two years. FileVault on Apple File System will then become a feature needed mostly on Mac hardware which lacks a Secure Enclave. Encryption on Macs equipped with Secure Enclave will change, from something that Mac admins will need to enable and monitor, to something which is Just On and which Just Works.
Hat tip to Tim Perfitt for providing technical assistance with the content in this post. If you’re interested in the iMac Pro’s other changes, please check out Tim’s post on Secure Boot and the iMac Pro.
Leave a Reply
Recent Comments
 | Thomas B. on 20 years of Der Flounder |
 | peter on 20 years of Der Flounder |
 | Scott Beach on 20 years of Der Flounder |
 | Mr Bombadil on Using Script2Pkg to create pay… |
 | gabeshack on Granting Volume Owner status o… |
Der Flounder 
This woud definitely be a step up as FileVault is not really corporate friendly when a workstation is used by multiple network users. Especially 10.13 is a pain IMO. Would be nice if the coprocessor is able to connect to directory servers to grant access.
I’m unclear as to the implications of:
“This hardware encryption means that, even if FileVault is not enabled, the data stored on the iMac Pro’s SSD storage is encrypted. What’s more, the key to unlock the encryption is stored in the iMac Pro’s Secure Enclave and never leaves the machine. Physically remove the SSD storage from the iMac Pro and you won’t be able to access any data stored on the SSD, even if you have an otherwise identical iMac Pro available.”
If the data is encrypted and FV is not enabled, how is the data encrypted, and how is the key generated? If the data is encrypted, and not available if the SSD is physically removed, I assume it is not accessible in any way unless the volume is explicitly unlocked via Target Disk Mode? Or is the encryption key an empty string?
@Graham, the encryption key for the SSD’s hardware encryption is held only in the Secure Enclave on the iMac Pro.
The encryption key stored in the Secure Enclave is unique to that machine, and the Secure Enclave is not removable from the individual iMac Pros, so that means that the contents of the SSD are only going to be readable in a specific set of circumstances: while that SSD is installed on that specific iMac Pro.
Take the SSD out of the iMac Pro and the contents of the SSD will not be readable at all because there’s no way to unlock the hardware encryption.
That said, the Secure Enclave will (currently) provide the key to unlock that SSD’s hardware encryption whenever the iMac Pro boots, so there shouldn’t be a problem with being able to work with the SSD while it’s inside the iMac Pro and able to communicate with the Secure Enclave.
Assuming you can boot the iMac Pro (or any Mac with a T2 chip). This is especially painful if your only intention was to wipe the fingerprint data via xartutil –erase–all
Does the secure enclave provide the unlock key in Target Disk Mode (if TDM is even still a thing with the iMac Pro)? Seems like it might be difficult to retrieve data from a non-booting machine if we can’t pull the drive and if TDM doesn’t work.
I believe so.
WTF? am I reading this correctly? Data is unrecoverable from a dead iMac Pro under all circumstances ?!!!! Whose brilliant idea was this??? Almost 20% of my job is data recovery.
Correct.
Everyone… yes you’re reading all that correctly. The T2 chips are the *only* location of the decryption key for the SSDs. If you use the well-known recovery mode terminal command xartutil –erase–all you WILL LOSE ALL DATA ON THE SSD.
I also believe that taking the SSD out WILL NOT WORK – as it’s not FileVault.
The only solution is backup. Backup. Backup. Backup. Backup. Backup. Backup.
And FFS, BACKUP!!!
It there some way to disable T2 chip encryption – respectively to migrate from T2 default encryption to a non encrypted APFS disk without losing data?
how easeus data recovery working with t2 enable Mac ???
I need to get raw & unencrypted access to some APFS volumes that are T2-encrypted. Since the same APFS container also contains some unencrypted volumes (e.g. “Recovery”), this means that it’s possible to have unencrypted volumes on a T2-equipped Mac just fine. The only problem is that when installed macOS or adding new volumes with Disk Utility, they get encrypted by default. I need them decrypted, however. Any idea how to do that? See my related SO question: https://apple.stackexchange.com/q/408692/17533