How does APFS encryption work?

I recently upgraded my 2013 MBP to High Sierra. This changed my unencrypted file system to encrypted APFS.

Does Apple provide any information about how APFS encryption works? Does the account password protect the private key? Then how can there be a guest user? When my account password was weak, does changing it improve encryption security?

What is the encryption method and strength?

I'm used to Windows BitLocker, where the encrypted partition is either locked or unlocked, and the Windows account password is different from the BitLocker passwort protecting the private key. The encryption method and strength can be set via Windows group policies.


Solution 1:

APFS encryption is done with the AES encryption algorithm in XTS mode with a 128 bit keylength. This is the same algorithm, mode and keylength used by earlier versions of macOS too (i.e. with HFS+ file systems).

As you mention Windows BitLocker, this is actually the same method and strength that Windows has recently started using in the newer versions of Windows 10.

Regarding your other questions about guest users and account passwords - this really has nothing to do with APFS encryption. This is instead handled by a layer above called File Vault 2.

File Vault 2 with APFS is really the same as with HFS+ with the one difference that APFS has built-in encryption support (i.e. the AES-XTS-128 for encrypting the data) where HFS+ needs encryption added as layer on top of the file systems (i.e. via Core Storage). In practice there's no real difference for most end-users.

In any case, all the key handling that makes full disk encryption work for the end-user to handle such things as booting from an encrypted drive, user accounts, guests, recovery keys, etc. are all handled by File Vault 2 - which is seperate from the file system itself.