Written by
Jenny ZengSummary: This post explains the basics of the format APFS (Encrypted), whether to use APFS (Encrypted) or not, the difference between APFS (Encrypted) and FileVault, and how to erase an APFS-encrypted drive on a Mac.
Should you use APFS or APFS Encrypted? Are enabling FileVault and formatting startup disk as APFS Encrypted on a T2 or M1 Mac an overkill? To answer these questions, we need to take a closer look at APFS Encrypted, its difference from other APFS file systems, and the built-in encryption feature - FileVault.
For average users, it's recommended to use APFS with FileVault enabled, even if you have a T2 or M1 Mac that is encrypted right out of the packaging. But if you have extremely important files on the Mac or you just want the best protection, format your Mac as APFS (Encrypted) and enable FileVault.
What is APFS Encrypted?
APFS Encrypted is one of the four APFS formats for Mac computers running macOS 10.13 or later. It works the same as the plain APFS but encrypts the volume in XTS mode with a 128-bit key length. In addition, APFS Encrypted reflects APFS's native support for encryption, which you can easily enable in Disk Utility when formatting a volume/disk or creating a new volume.
Converting APFS to APFS Encrypted without erasing data is also rather simple. To do it, you need to open Finder, where you can view the mounted volumes or partitions under "Locations" from the left side. Then, if you right-click on a non-startup APFS volume, you'll be given the option to either encrypt the APFS volume or decrypt the APFS-encrypted volume.
Please share this post if you find it helpful.
APFS vs. APFS Encrypted: Should I use APFS or APFS Encrypted?
The only difference between APFS and APFS Encrypted is that the latter encrypts the APFS disk or volume, providing an extra layer of security. Since APFS is optimized for Flash/SSD storage, using APFS encrypted won't result in much performance degradation. But APFS Encrypted external disks or HDDs may have slower write speeds.
If you have classified or private data stored on your Mac, you should choose APFS (Encrypted) or APFS (Case-sensitive, Encrypted.) when formatting your startup disk, adding volumes, or backing up with Time Machine.
This way, even when somebody logs in to your Mac, they will need to enter the extra password to unlock the encrypted volumes. Doing so also prevents third-party apps from accessing your drive without your consent.
APFS Encrypted vs. FileVault
APFS Encrypted and FileVault are two different encryption features on Mac with close connections.
Suppose you turn on FileVault after formatting your startup disk as APFS. In that case, it changes the startup volume groups Macintosh HD and Macintosh HD - Data into APFS (Encrypted) but leaves other non-startup volumes intact. That's why users may mistakenly consider APFS Encrypted the same as FileVault.
FileVault protects data on your startup disk from being extractable when your Mac's powered down and in sleep mode by requiring your login password to decrypt the data. Nevertheless, drives formatted as APFS Encrypted require another password to access the drive's content after logging into the system.
Should you use APFS Encrypted with FileVault enabled on T2/M1 Mac?
Regardless of whether your Mac has a T2 or M1 chip or not, you should use APFS Encrypted and FileVault to ensure maximum security if necessary. They are not redundant with the full disk encryption the T2 or M1 chip offers.
Solely having the hardware encryption prevents others from taking out your hard drive (if possible) and mounting it on another Mac to access data, as the T2 or M1 chip is mandatory to decrypt the drive.
Nonetheless, since the T2/M1 decryption kicks in as soon as your Mac boots to the login screen, there's a possibility that a malicious party may access data from the mounted and running drive. Enabling FileVault, however, will keep your disk's content encrypted until the login password of any account allowed to use FileVault is entered.
Note that turning FileVault on for the first time may take some time depending on the amount of data you have if you are using a non-T2/M1 Mac. But it won't take a minute if you have a T2 or M1 Mac, which has a dedicated AES hardware engine powering line-speed encryption with FileVault. After all, the chip has already encrypted the drive.
The hardware encryption and FileVault encryption will essentially fail if your login password is exposed. But, if you have formatted the volume that stores crucial data with APFS (Encrypted) or APFS (Case-sensitive, Encrypted), the intruder needs to unlock it before getting their hands on the file. Thus, you will have more time to send the Erase This Device command via Find My Device to render the drive's contents irretrievable.
Besides password protecting your Mac with FileVault and APFS Encrypted, it's also advisable to back up your Mac regularly. Also, be reminded that if you forget your password and lose the recovery key, your Mac will be unusable.
This post tells how to check the encryption status on your Mac, including the startup volume, non-startup volume, internal drive, and external drive.
How to erase an APFS-encrypted drive on Mac?
The way to erase an APFS-encrypted drive is no different from a non-encrypted drive. If it's an internal volume or an external drive that has been plugged in, you won't even need to enter the password, as you likely have done it to unlock the drive when seeing the prompt after logging in. Back up files on the drive, then follow these steps:
- Open Finder > Applications > Utilities, then launch Disk Utility.
- Select the volume or disk from the left sidebar.
- Click Erase.
- Choose a proper format and name, then click Erase again.
The APFS-encrypted drive should now be empty and has no password attached. You can click the button below to share this post if you find it useful.