Home > Apple File System, FileVault 2, Secure Enclave > Secure Enclave, Mac SSD hardware encryption and the future of FileVault

Secure Enclave, Mac SSD hardware encryption and the future of FileVault

The iMac Pro introduced a number of new features, but one that may have been little noticed is the introduction of hardware encryption for the iMac Pro’s SSD storage. Apple references the hardware encryption on the iMac Pro page this way:

T2 also makes iMac Pro even more secure, thanks to a Secure Enclave coprocessor that provides the foundation for new encrypted storage and secure boot capabilities. The data on your SSD is encrypted using dedicated AES hardware with no effect on the SSD’s performance, while keeping the Intel Xeon processor free for your compute tasks.

Screen Shot 2018 01 07 at 9 32 21 PM

This hardware encryption means that, even if FileVault is not enabled, the data stored on the iMac Pro’s SSD storage is encrypted. What’s more, the key to unlock the encryption is stored in the iMac Pro’s Secure Enclave and never leaves the machine. Physically remove the SSD storage from the iMac Pro and you won’t be able to access any data stored on the SSD, even if you have an otherwise identical iMac Pro available.

For those with knowledge of how Apple protects data stored on iOS devices, this should sound familiar. The main difference between the iOS and macOS implementation at this point appears to be that macOS does not have the equivalent passcode lock screen.

Iphone7 ios11 passcode lock screen

Instead, the needed encryption key to unlock the hardware encryption is automatically provided by the Secure Enclave when the iMac Pro boots. This behavior is just like that seen on an iOS device where a passcode has not been enabled.

This is referenced when you run the following command on an iMac Pro:

diskutil apfs list

On an iMac Pro where FileVault is not enabled, FileVault is shown with the following status:

FileVault: No (Encrypted at rest)

Screen Shot 2018 01 07 at 9 28 23 PM

This recognizes that encryption is available, but that the encryption only provides protection when the data is at rest. “Data at rest” in this context should be understood to mean when the Secure Enclave has not provided the needed encryption unlock key, which would be the case in either of the following scenarios:

  1. The iMac Pro is off.
  2. The SSD storage has been removed from the iMac Pro.

For more, please see below the jump.

So what does this hardware encryption mean for FileVault on Apple File System? Is it no longer needed? Will Apple be implementing a passcode lock, like they have on iOS? Will hardware encryption allow FileVault to be enabled in seconds, rather than hours?

I don’t have any inside knowledge, so treat what I’m about to say with the appropriate skepticism. It’s speculation, pure and simple.

That said, I don’t think that Apple will be mapping the iOS passcode experience directly onto macOS. The reason I say that is iOS’s encryption model incorporates an assumption that iOS is not a multi-user OS. That’s where FileVault encryption on Apple File System comes in. It provides the following:

  1. The ability to support multiple user accounts.
  2. An additional encryption layer, providing even more protection for the data stored on the iMac Pro’s SSD storage.

Because of this, I see FileVault on Apple File System staying around for at least the next version of macOS while Apple works out the necessary support for providing an instant-on encryption solution like on iOS, while being able to provide the multiple-user support needed on macOS.

That said, I believe that this transition will be a short one of only one to two years. FileVault on Apple File System will then become a feature needed mostly on Mac hardware which lacks a Secure Enclave. Encryption on Macs equipped with Secure Enclave will change, from something that Mac admins will need to enable and monitor, to something which is Just On and which Just Works.

Hat tip to Tim Perfitt for providing technical assistance with the content in this post. If you’re interested in the iMac Pro’s other changes, please check out Tim’s post on Secure Boot and the iMac Pro.

  1. Mattias
    January 8, 2018 at 1:41 pm

    This woud definitely be a step up as FileVault is not really corporate friendly when a workstation is used by multiple network users. Especially 10.13 is a pain IMO. Would be nice if the coprocessor is able to connect to directory servers to grant access.

  2. January 8, 2018 at 5:08 pm

    I’m unclear as to the implications of:

    “This hardware encryption means that, even if FileVault is not enabled, the data stored on the iMac Pro’s SSD storage is encrypted. What’s more, the key to unlock the encryption is stored in the iMac Pro’s Secure Enclave and never leaves the machine. Physically remove the SSD storage from the iMac Pro and you won’t be able to access any data stored on the SSD, even if you have an otherwise identical iMac Pro available.”

    If the data is encrypted and FV is not enabled, how is the data encrypted, and how is the key generated? If the data is encrypted, and not available if the SSD is physically removed, I assume it is not accessible in any way unless the volume is explicitly unlocked via Target Disk Mode? Or is the encryption key an empty string?

    • January 11, 2018 at 9:44 pm

      @Graham, the encryption key for the SSD’s hardware encryption is held only in the Secure Enclave on the iMac Pro.

      The encryption key stored in the Secure Enclave is unique to that machine, and the Secure Enclave is not removable from the individual iMac Pros, so that means that the contents of the SSD are only going to be readable in a specific set of circumstances: while that SSD is installed on that specific iMac Pro.

      Take the SSD out of the iMac Pro and the contents of the SSD will not be readable at all because there’s no way to unlock the hardware encryption.

      That said, the Secure Enclave will (currently) provide the key to unlock that SSD’s hardware encryption whenever the iMac Pro boots, so there shouldn’t be a problem with being able to work with the SSD while it’s inside the iMac Pro and able to communicate with the Secure Enclave.

  3. January 18, 2018 at 9:48 pm

    Does the secure enclave provide the unlock key in Target Disk Mode (if TDM is even still a thing with the iMac Pro)? Seems like it might be difficult to retrieve data from a non-booting machine if we can’t pull the drive and if TDM doesn’t work.

  4. larry
    March 30, 2018 at 11:55 pm

    WTF? am I reading this correctly? Data is unrecoverable from a dead iMac Pro under all circumstances ?!!!! Whose brilliant idea was this??? Almost 20% of my job is data recovery.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: