Today, so much important and sensitive information are stored on computers, so it makes the data security increasingly demanding. This article will specifically introduce FileVault 2 and T2 chip on Mac platform and explain how the two security features protect your personal data from theft and leaking.
What is FileVault 2 and how does it protect your data?
FileVault is a built-in encryption feature on Mac computers using XTS-AES-128 encryption with a 256-bit key. It was first added to Mac OS X 10.3 Panther to encrypt only home folder, and then Mac OS X 10.7 Lion and later was equipped with FileVault 2 to encrypt the full startup disk. When the FileVault is enabled, a user will be asked to create a master password and recovery key will be automatically created too. Either a master password or a recovery key will be required to decrypt the data on startup disk. Since the current FileVault 2 uses full disk encryption, all data added or edited will be automatically encrypted during your use of the Mac’s hard drive. Unauthorized access to the data on startup disk will be locked outside.
If you want to secure your data on a Mac, especially a MacBook which you carry it around a lot, you had better enable FileVault. However, since FileVault is operated by CPU, it will affect the performance because the CPU has to encrypt and decrypt data. If your Mac has an SSD, you may not notice the difference. But if your Mac has a traditional hard drive, the difference is quite obvious.
How to enable FileVault?
FileVault needs you to manually turn it on to create your own password for it.
Step 1: Click on the Apple logo at the top menu bar.
Step 2: Go to System Preferences and choose Security & Privacy.
Step 3: Click on FileVault tab.
Step 4: Click the little lock icon at the lower left corner to make changes.
Step 5: Enter the administrator password (the login password).
Step 6: Click on “Turn On FileVault…”
If you have multiple users set up to use this Mac, a window will come up asking you to enable other users to type in their login password to be able to unlock the disk.
Make sure you remember the password or store the recovery key in a safe place. Once the password is forgotten as well as the recovery key is lost, the saved data on the startup disk is unrecoverable because it can’t be decrypted.
What is T2 security chip and how does it protect your data?
T2 security chip is Apple’s second-generation custom silicon for newer Mac desktops and laptops. It first rolled out with iMac Pro 2017 and then started to be equipped on MacBook Air, MacBook Pro, Mac mini and Mac Pro. It takes over some tasks that used to be processed by CPU and it works like an independent processor. Its main features include:
The T2 chip forbids the Mac from booting up through an untrusted source. That is to say, booting from an external drive or network is not allowed on T2-equipped Macs now. Moreover, the chip will review the startup process all the time and stop it whenever it finds unauthorized interference.
The T2 chip uses real-time encryption that guarantees all data is encrypted the same time when it is written to the startup disk. In this way, the data will be stay unreadable even when the T2 chip suddenly stops working, is attacked or removed.
Because many hackers break into the Mac system to spy on people through the built-in microphone and HD camera, the upgraded T2 chip also has enhanced the capability to hardware disconnect the microphone and camera when the lip is closed. In addition, the biometric information (Touch ID and voice to invoke Siri) will be encrypted by T2 chip as well.
T2 security chip is a hardware chip soldered on the logic board. You don’t have to enable the capabilities because they are enabled within the T2 chip. Even though the T2 chip is secure enough, Apple still recommends users to turn on FileVault to add more security.
Challenges Apple security features bring to data recovery
The more secure the data is, the harder it will be to get back when it is lost.
First, as mentioned above, if you have a hard time remembering the password and lose the recovery key for the FileVault, your startup disk will completely lock you out. Even if you take the Mac to Apple store or use data recovery service, files can’t be decrypted.
Second, target disk mode doesn’t work anymore. Before, you can connect two compatible Macs and boot one Mac into target disk mode by pressing down Command + T keys during booting up. Then the SSD in it will be regarded as an external hard drive attached to the other Mac. You will be able to transfer files in that way. However, since each T2 chip generates a random serial key to encrypt data on SSD, the other Mac’s T2 chip won’t be able to decrypt the data decrypted by another T2 chip. As a result, saving data from an unbootable mac computer through target disk mode can’t be achieved.
Third, many data recovery software don’t support scanning the decrypted disks. They are unable to detect the encryption on the disk and won’t provide password input to decrypt the data either. Therefore, when choosing a data recovery program for T2-equipped and/or FileVault-enabled Mac, you should be aware if the program can restore files from encrypted disks.
iBoysoft Mac Data Recovery is one of the programs we know that can scan encrypted startup disk and restore data from it. Check its capabilities and get a free copy.
As high-end personal computers, Macs provide excellent data security. With using those features, do a little homework to see how good they are and how they can affect you. It is not a bad idea to know more about your machine.