Full-disk encryption (FDE) is a low-effort way to ensure that if someone were to get ahold of one of your drives while unmounted or a Mac while powered down, the contents on the drive would be unusable to them without knowing a password or other encryption information. Apple offers two distinct ways of encrypting volumes on a drive, and it’s important to know the difference between them and the current limitation on drives connected to M1-based Apple Silicon Macs.
You can read the full details elsewhere on Macworld about the ins and outs of FileVault, but it’s a way to combine the security of account-based access with the assurance of fully encrypted data. FileVault is managed via the Security & Privacy preference pane’s FileVault pane.
How FileVault works varies based on your model of Mac:
To turn on FileVault in macOS Big Sur, you activate it in System Preferences, under Security & Privacy.
Apple
When you enable or disable FileVault protection on a T2/M1 Mac’s internal drive, because encryption is always on, FileVault turns on or off immediately. With an external drive used with an Intel Mac, you can monitor the progress roughly from the FileVault pane of the Security & Privacy preference pane—or see below.
FileVault enables security when powered down for both pre-T2 Macs and T2/M1 Macs: it prevents access at startup without a password for a valid account on the Mac, or for any decrypted data on the drive if accessed in any fashion by another Mac or forensic-examination equipment.
Entire volumes can be encrypted directly, but then they cannot be used to start up a Mac, because of how FileVault and the startup elements on Macs interact. Encrypting such drives is useful when you’re using them for storage and backups.
A drive with volumes encrypted in this fashion is fully available when mounted and the password entered. If you choose to store the password in the Keychain, then anyone who gains access to your unlocked Mac and can mount one or more volumes from the drive gains access as if the contents weren’t encrypted.
However, in these cases the encrypted contents are unavailable if no party but you has the password to your Mac or the volumes:
You enable encryption on a drive very simply from the Finder:
Enter and record the password for your external drive.
IDG
In Disk Utility, if you examine any volume that you’ve encrypted with macOS 10.14 Mojave or later, it shows up with “Encrypted” in the parenthesis for the volume type as “APFS (Encrypted)”. Disk Utility converts a volume that is formatted as Mac OS Extended (Journaled), otherwise known as HFS+, to APFS in the process, and uses the APFS (Encrypted) subtype.
An important side note: If you’re using any volumes on the drive as backup destinations for Time Machine in Mojave or later, directly from your Mac or over your local network, you don’t want to encrypt the drive. Only Macs with Big Sur can backup via Time Machine to an APFS-formatted volume. And, in testing, only HFS+ can be used as the formatting for a destination volume for networked Time Machine backups, whether the Mac being backed up is running Big Sur or an earlier version of macOS.
You can reverse the operation by selecting the drive, choosing Decrypt, entering the password, and then a similarly lengthy operation occurs to decrypt the drive. If it’s been converted from HFS+, it rem
For more advanced users, you can create encrypted volumes directly via Disk Utility or the command line, though this involves destructive erasure of volumes, containers, or partitions, depending on what you’re trying to secure.
With an Intel Mac without a T2 chip, with FileVault encrypting an external drive on any Intel Mac, or with any model of Mac encrypting an external non-startup volume, you can monitor progress by using a command-line tool. (FileVault’s progress bar isn’t that accurate.)
From Applications > Utilities > Terminal, type the following and press Return:
diskutil apfs list
This shows all the APFS containers and volumes, and the status of encryption in progress. You have to scroll through a lot with many disks and volumes to find that information, so you can instead type the following command to extract just the progress line:
diskutil apfs list | grep Encryption
That will match against lines like:
Encryption Progress: 69.0% (Unlocked)
Confusingly, when encryption is completed, whether it’s a startup volume secured by FileVault or an external volume encrypted via the Finder or other means, the diskutil app shows that encryption is enabled always as:
FileVault: Yes (Unlocked)
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate, and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.
Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read our affiliate link policy for more details.
Nenhum comentário:
Postar um comentário