Newer Macs come with a T2 Security Chip with its own Secure Enclave , a tamper - resistive bit of Si that leave eminent levels of surety just like on an iPhone and iPad . It ’s used to enable Touch ID and take into account Apple Pay on laptop computer , but it also handles several other tasks , let in full - disk encryption . ( The T2 chip shot start appearing in Macs with the iMac Pro in very previous 2017;see this listto hitch if you ’re not sure if yours is one of them . )
On pre - T2 models , macOS uses a combination of software system and ironware - accelerated encryption to encrypt all the datum on your disk using FileVault , which can be turned on and off via the Security & Privacy penchant Lucy in the sky with diamonds ’s FileVault tab . It can take an extremely tenacious meter for FileVault to cipher a effort totally the first time on these older Macs and bog down down a organisation while it is underway . Afterwards , Macs generally deal live recitation and writing at almost the same speed as if the data point were n’t encipher .
The just - let go of 27 - inch iMac is fit out with the T2 security flake .
The just-released 27-inch iMac is equipped with the T2 security chip.
FileVault foreclose the data point on a disk at rest period — not power up and access — from being extractable in any effective agency . The data is just a bunch of digital scraps without entree to the key , and the key ca n’t be retrieved without the password of one of the FileVault - associate account on the Mac , which has to be record at startup time to unlock the drive .
With the T2 fleck managing encoding , what is FileVault left to do on these model ? It ’s rather pernicious .
With FileVault off on a T2 - bearing Mac , if a ne’er - do - well extracted the driving from a Mac , the contents remain unobtainable . That ’s an melioration over pre - T2 Macs , where the non - FileVault - protect contents would be fully clear . It ’s a baseline security improvement . ( As a result , by the way , T2 - equip Macs that get an Erase This equipment command via Find My equipment become nearly in a flash “ erase , ” just like a Mac with no T2 chip and FileVault enabled : erasing the encoding key renders the drive ’s message permanently unretrievable . )
The just-released 27-inch iMac is equipped with the T2 security chip.
However , without enabling FileVault , a Mac only has to be booted for the full - disk encoding to bug out working , even if it does n’t automatically lumber into an report . While the encryption is locked to a hardware tonality pull off by the Secure Enclave in the T2 chip , decryption kicks in as soon as the Mac boots to a login silver screen . A malicious party might be able to subvert macOS or use hardware method to access data from the mounted and run effort .
Turn on FileVault , however , and a T2 - fit out Mac charter in the same boot behavior as one that handles disk encoding in software . or else of loading macOS directly , the Recovery partition kick in a particular mood that requires entry of the password of any account countenance to apply FileVault . Until that password is go in , the disk ’s contents remain encrypted just as if it were at eternal sleep .
I recommend enable FileVault on T2 - equipped Macs for the greatest security and peace of mind . The fillip ? Because the T2 chip has already encrypted the drive , there ’s no overhead and no wait : FileVault is forthwith enable .
Ask Mac 911
We ’ve compiled a list of the questions we get asked most frequently along with response and link to pillar : learn our super FAQto see if your interrogation is covered . If not , we ’re always looking for new problems to solve ! netmail yours tomac911@macworld.comincluding screen captures as appropriate , and whether you want your full name used . Not every question will be answered , we do n’t reply to electronic mail , and we can not put up verbatim troubleshooting advice .
