How Apple’s T2 Security Chip Affects Your Disk Storage

3 minute read
| Deep Dive

All new Macs now feature Apple’s custom T2 security chip. This has operational security implications for your new Mac, especially your SSD’s encryption.

Photo of the T2 security chip

Image credit: IFixit

While this chip does many different things, including the management of a secure boot process, Touch ID, FaceTime, audio and “Hey, Siri,” to name a few, this article will focus only on the aspects of encrypted storage.

There are two Apple sources I’ll draw from:

  1. Apple T2 Security Chip Security Overview from October 2018.
  2. Apple tech note HT208344: “About encrypted storage on your new Mac.”

The first is very technical. It’s Apple’s authoritative discussion of everything the T2 chip does, and the nomenclature makes it tough reading for many.

But one thing it reveals is that Apple has implemented a first class security infrastructure in its new Macs that goes a long way towards protecting the Mac from assaults on its security and integrity. This is all made very transparent, almost as if it’s not there. But the implications of the design will have an impact on users of new Macs.

Which Macs Have the T2?

Apple also posted a tech note, HT208862, listing them. They are:

  • iMac Pro
  • Mac mini models from 2018
  • MacBook Air models from 2018
  • MacBook Pro models from 2018

Operational Notes

There are some things to note about how your new Mac handles and encrypts the content of your Mac’s Solid State Drive (SSD). From Apple:

Data on the built-in, solid-state drive (SSD) is encrypted using a hardware-accelerated AES engine built into the T2 chip. This encryption is performed with 256-bit keys tied to a unique identifier within the T2 chip.

This happens whether or not you enable FileVault during the setup process. The idea is that if the SSD chips were to be removed from the Mac by a malicious act, all the data would remain encrypted. However, when the chips are still in the Mac, a special hardware ID in the T2’s Secure Enclave will decrypt the data.

To ensure that the contents of the SSD, when in its host, remain encrypted until your passphrase is provided, you should enable FileVault. Unlike the past when turning on FileVault would tie up the Mac for many, many hours, the data in T2 Macs is already encrypted. Turning on FileVault is very fast. Now the decryption key is a combination of the Mac’s unique hardware ID and your own provided passphrase.

Also, by default, for the sake of security, only your current OS, or a (digitally) signed OS trusted by Apple can run. So this mode requires a network connection and the time of installation. Finally, the T2 Mac, by default, is prevented from booting from external media.

Note that there is a way to control whether your T2 Mac operates is this high security level mode. There’s a new utility, available in Recovery mode (CMD-R at boot), that sets the preferred levels of disk security — even all the way back to how previous Macs worked. The “Startup Security Utility” is discussed on page 10 of the Apple T2 Security Chip Security Overview linked to at the top of this article.

Startup Security Utility

Startup Security Utility defaults shown.

One impact of having the SSD always encrypted is that is the T2 chip fails or is damaged, all your data could become irretrievable. That’s why it’s absolutely essential to have a Time Machine backup of your T2 Mac.

Final Words

As you can see from the above documents, the new security aspects of T2 Macs may have an impact on how you operate your machine. Because the original Apple overview document is technically dense, you may find it easier to start with a summary, as I’ve provided above.

Also, because different authors cover complex technical subjects with different approaches, emphasis and language, reading about a complex subject from several sources often helps. So here’s some suggested, additional reading.

  1. Everything you need to know about Apple’s T2 chip in the 2018 Mac mini and MacBook Air
  2. Welcome to your new Mac: living with the T2 chip

These two articles say the same thing in different ways as well as fill in the gaps—when you’re ready to digest them. Finally, don’t try to learn and do everything all at once until you feel comfortable. Your new Mac will be just fine as you learn and gain expertise with these new security provisions.

2
Leave a Reply

Please Login to comment
2 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
2 Comment authors
MacseeJohn Kheit Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
Macsee
Member
Macsee

Apple T2 chip is great if you are concerned with encryption. But it should be possible to disable it when not needed. When encryption is irrelevant. To facilitate disk cloning, repair and recovery. To save energy. To save planet Earth.

John Kheit
Member
John Kheit

Great primer John, thanks!