Does FileVault encrypt the disk instantly?
I have recently found that FileVault is disabled on my machine. Although I remember that I set "encrypt" option when I was setting the machine up.
I opened System Preferences and enabled FileVault. To my surprise it didn't take any time. I didn't have to wait while the data is encrypted. It just got instantly enabled.
My configuration: MacBook Air 2018, 256Gb SSD, macOS Mojave 10.14.1
I understood that the disk is not encrypted because I was able to access the content from my home directory from a guest session.
How does it possible that turning on FileVault doesn't take any time?
You have a new Mac with an SSD and T2 chip so all data on it is encrypted always. Any election you make in FileVault just adds and removes user keys from the trust chain so that happens basically instantly. However, when a FileVault credentialed user isn’t created, the system unlocks itself so the encryption door is always wide open.
The next time you restart, the system will notice that the first per-user key is now active and change the boot process so that the system won't unlock that storage and start the OS until your key unlocks the storage. Keep in mind, FileVault by default on APFS is all or nothing. When you unlock the storage, any account can read any files it has permission and you need your password to keep other users (guests) off your files and session.
You can inspect this by looking at diskutil apfs list
to examine each APFS containers and synthesized volume encryption and lock status.
mac:~ me$ diskutil list
/dev/disk0 (internal):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme 251.0 GB disk0
1: EFI EFI 314.6 MB disk0s1
2: Apple_APFS Container disk1 250.0 GB disk0s2
/dev/disk1 (synthesized):
#: TYPE NAME SIZE IDENTIFIER
0: APFS Container Scheme - +250.0 GB disk1
Physical Store disk0s2
1: APFS Volume Mac 191.7 GB disk1s1
2: APFS Volume Preboot 65.4 MB disk1s2
3: APFS Volume Recovery 1.0 GB disk1s3
4: APFS Volume VM 3.2 GB disk1s4
Be sure to restart your machine and test the guest session scenario again. Only a full “Guest account” that’s set up in user preferences will keep your data marginally protected when you have an unlocked / unencrypted synthesized Macintosh HD boot / OS / user volume.
I didn't set "encryption" on while installing my System, but turning on Encryption with FileVault afterwards definitely takes time (about 45 min with a 512 Go SSD).
Decrypting the disk will take time with a background process as well.
You can check if your disk is encrypted or not (or in progress) through the Terminal with entering this command:
sudo fdesetup status
From your experience, it looks like enabling encryption during setup does the work, but doesn't show up in the "System Preferences" until you explicitly turn it on?