Which encryption model (single-key, per-file-key) does APFS use after 10.13 upgrade

Based on Apple's developer documentation, APFS appears to support three models of disk encryption:

  • No encryption
  • Single-key encryption
  • Multi-key encryption with per-file keys for file data and a separate key for sensitive metadata

Following the upgrade to 10.13 and the in-place filesystem migration from CoreStorage/FileVault/HFS+ to Encrypted APFS, which of these models is in use?

diskutil and related tools do not appear to provide any indication of which model is in use, and I would like to know, for the purpose of data recoverability and O(1) secure file erasure capabilities, whether multi-key is in use on my machine and disks.


Hey you asked this a while ago but I asked the same question on the Apple community discussion board recently and apparently we were just misreading that documentation.

APFS uses both single-key and multi-key encryption models simultaneously. The single-key system encrypts the container, and each file within it is encrypted with its own key pair.