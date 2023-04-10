The APFS volumes on the internal SSDs of modern Cupertino notebooks and desktops are always encrypted. The T2 chip is used for this in Intel Macs, and the required secure enclave is integrated into the M1 and M2 processors in computers with Apple Silicon. Of course, external data carriers can also be encrypted using the Apple File System. However, a different procedure is used here, which may affect performance (see ). The mount process, which runs after connecting an SSD or hard drive via USB or Thunderbolt, is also different. Howard Oakley, who made a name for himself among other things because of some of the macOS tools he developed, has now analyzed this process in more detail.

Cryptographic volume key is itself encrypted

macOS first integrates the container found on the external data medium and examines it for one or more encrypted volumes. If these are present, APFS sends a request to a routine called “Effaceable Storage”. It is responsible for determining the volume’s cryptographic key (Volume Encryption Key, VEK). This is also encrypted with a Key Encryption Key (KEK), which can only be read using the password specified when the volume was initialized. macOS therefore queries this, only after the code has been entered correctly does the normal mount process take place and the encrypted volume is available. Oakley documents the exact steps in an article illustrated with corresponding graphics The Eclectic Light Company.

Mount snapshots and cryptexes

Integrating the snapshots of Time Machine backups on an external drive is significantly less complicated. When mounting, however, there is a special feature: macOS updates a counter called “Copy on Write exempt count”, since the standard CoW feature is not used for snapshots. On the other hand, the procedure with which macOS accesses the so-called cryptexes is more complicated. These “cryptographically-sealed extensions” are extensions for the system volume; they are used, among other things, to speed up updates and import hotfixes as part of the Rapid Security Response (see ). The cryptexes are first checked for content and metadata and then authenticated and validated using hash values. If successful, they are then available to the system and cannot be unmounted until the computer is shut down.