When does encryption actually happen in MacOS/OS X encrypted volumes?

time-machine filevault encryption

I've noticed a sort-of lazy/post encryption strategy in MacOS/OS X with FileVault enabled and in encrypted Time Machine backups, and I'm curious when actual encryption happens.

  • When I copy videos from unencrypted external USB 3 volumes to my FileVault encrypted volume, my write speeds are 100+MB/s. However, I don't think my macbook (Intel Core i7-4980) is capable of encrypting that fast on-the-fly.
  • When I complete a time machine backup, a lengthy "encrypting..." step happens, but continues seamlessly after un-mounting/re-mounting. This is more obvious when encryption is happening, but is the data exposed until encryption is complete?

When does the actual encryption happen? Is there a period of time where my files are vulnerable unencrypted?


Actually your mac is capable of encrypting that fast (perhaps you're confusing it with encryption+compression).

Your processor has a special Intel AES-NI instruction set, specifically designed to optimize encryption speed. Looking at some performance benchmarks for that processor, the AES test performs at a whopping 8.87 GB/s multi-core and 2.94 GB/s single-core. No bottleneck there, but I can imagine some latency from processing thousands of small files instead of one big one like in the benchmark.

To address the confusion in your question:

  • While logged in, encryption happens on-the-fly whenever you read/write from anywhere on a FileVault2 encrypted disk.
  • Time machine transfers data unencrypted to the external disk, then encrypts after. My guess is they designed it this way to be more fault-tolerant with slower finicky external media.

When you encrypt or decrypt macOS will convert all data on the corestorage volume. As long as this process is not completed some of the data on the partition may still be unencrypted, i. e. unprotected. The process can be paused, e. g. when you shut down the system. It will automatically continue when you boot up. To check the current status of the encryption you can use: 

diskutil cs list

or

fdesetup status

Data encryption on-the-fly is very well possible and normally you shouldn't notice a performance hit.

Related

How to fix "macOS needs to repair your library to run applications" after High Sierra upgrade?
How to leave apple developer program on developer.apple.com?
How can I remove 'Dark Mode' from Ms Office apps without disabling it across macOS?
Sidecar only shows a black screen on iPad until reboot
Free OS X utility to scrape web sites?
How to keep your MacBook Pro cool (unibody)
Is it possible to turn off the iPhone Calendar invitations badge/list?
How do I correct wrong iTunes play counts?
Search in a particular folder and subfolder through Spotlight
Moving dock between vertically arranged displays in OS X Mavericks and later
Is there a way to show each CPU's load separately?
Harmful to never put to sleep / shut down a mac?