When and how does FileVault decrypt a SSD on a T2 Machine

macos security filevault ssd encryption

Solution 1:

No, it is not enough to simply bypass the user password prompt. That's not how it works, and it is not a less secure or less strong approach than earlier - actually it is an improvement.

The way the T2 chip works is by always encrypting the contents of the SSD. This happens no matter if FileVault is enabled or not. If File Vault is not enabled, no password is necessary to decrypt the SSD, as you would expect.

However when the user enables File Vault, the keys for decrypting the SSD are encrypted with a key based in part on the user's password. This means that the T2 can no longer decrypt the SSD on its own when booted. No matter how much "trickery" you use to bypass password prompts, it won't work, as it doesn't have the key necessary to decrypt.

As soon as the user enters his password (or a recovery key) - the T2 has the necessary information to derive the full decryption key and can thus decrypt the contents of the drive.

Note: The above is grossly simplified explanation of how FileVault and the T2 works, but is representative of how it is perceived by users.

Related

What is single user mode useful for?
How To Remotely Sign Out Of iCloud?
Explanation /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
How to transfer files from CD/DVD onto iPad Pro?
Can MBP 16" ( Late 2019) retina screen can be replaced with non-retina non-Apple screen?
Eclipse Fails To Launch Complaining of Incompatible Java VM
How to output tilde (~) directly
How to disable `Microsoft Outlook`'s keybindings in macOS
Remap function key on external logitech keyboard
Restart network config from terminal
Not enough free space on OS X Base System while installing El Capitan with VirtualBox
Where does Google Drive File Stream store offline files and folders on a Mac?