惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threat Research - Cisco Blogs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
V
Vulnerabilities – Threatpost
GbyAI
GbyAI
P
Proofpoint News Feed
L
LINUX DO - 热门话题
P
Palo Alto Networks Blog
A
About on SuperTechFans
T
Tenable Blog
M
MIT News - Artificial intelligence
IT之家
IT之家
I
Intezer
D
DataBreaches.Net
爱范儿
爱范儿
T
Threatpost
C
CERT Recently Published Vulnerability Notes
云风的 BLOG
云风的 BLOG
博客园 - 三生石上(FineUI控件)
WordPress大学
WordPress大学
K
Kaspersky official blog
大猫的无限游戏
大猫的无限游戏
A
Arctic Wolf
Y
Y Combinator Blog
Cyberwarzone
Cyberwarzone
酷 壳 – CoolShell
酷 壳 – CoolShell
D
Darknet – Hacking Tools, Hacker News & Cyber Security
H
Help Net Security
Microsoft Security Blog
Microsoft Security Blog
Spread Privacy
Spread Privacy
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
AWS News Blog
AWS News Blog
博客园 - 聂微东
C
Check Point Blog
S
Securelist
有赞技术团队
有赞技术团队
雷峰网
雷峰网
aimingoo的专栏
aimingoo的专栏
Last Week in AI
Last Week in AI
Stack Overflow Blog
Stack Overflow Blog
MongoDB | Blog
MongoDB | Blog
D
Docker
G
GRAHAM CLULEY
T
The Exploit Database - CXSecurity.com
C
Cybersecurity and Infrastructure Security Agency CISA
T
Tailwind CSS Blog
L
Lohrmann on Cybersecurity
G
Google Developers Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
L
LangChain Blog

The Eclectic Light Company

Hero or hooligan: Theseus’ later years BSD flags are incompatible with iCloud Drive Apple has released macOS Tahoe 26.5.1 In memoriam Mary Cassatt: 1, 1868-1880 Solutions to Saturday Mac riddles 362 What Location Services do in macOS Eclectic paintings of Joseph Stella: 2 European myths Last Week on My Mac: Razzle and dazzle Eclectic paintings of Joseph Stella: 1 American landscapes Saturday Mac riddles 362 Protect files with the Locked or Immutable flag Reading Visual Art: 252 Dragonfly What happens in the log when an app crashes as it starts up? Portraits of trees: Introduction On Reflection: Conclusions and contents Which tasks require mains power? Medium and message: Vast canvases Online reference to external displays for Apple silicon Macs What’s in that phishing email? Hero or hooligan: Theseus and Ariadne Solutions to Saturday Mac riddles 361 How to search document versions Rubens’ Consequences of War Rubens’ Peace and War Saturday Mac riddles 361 How to search Time Machine backups? Naturalists: Contents and artists On Reflection: Extending the image Tackle QuickLook problems Medium and message: Pottery Hero or hooligan: Theseus and the sandals How QuickLook provides thumbnails and previews Last Week on My Mac: Syncing metadata in iCloud Drive Paintings of visits to India 1778-1877 Saturday Mac riddles 360 Naturalists: Sorolla and Zorn On Reflection: Pierre Bonnard 1909-1946 SpotTest 1.2 can display Spotlight metadata directly On Reflection: Pierre Bonnard 1899-1908 How to preserve versions, and how to create versioned PDFs Medium and message: Sculpture What gets synced in iCloud Drive? Hero or hooligan: Perseus 2 Solutions to Saturday Mac riddles 359 Last Week on My Mac: snapshots, the elephant in APFS Paintings of Beatrice Portinari: to 1862 Saturday Mac riddles 359 Naturalists: Into the 20th century How to check whether Spotlight is getting the right metadata On Reflection: Mirror play Hero or hooligan: Perseus 1 The bicentenary of Frederic Edwin Church: 1857-77 Solutions to Saturday Mac riddles 358 macOS virtual machines and audio-video syncing A walk in the parks of Rome, Vienna, Manhattan and Brooklyn Saturday Mac riddles 358 Naturalists: Photography Use Finder tags for categories Control what gets written to the log Medium and message: Tapestry Virtualisation on Apple silicon Macs is different Jerusalem Delivered: Overview and contents The bicentenary of Frederic Edwin Church: 1849-57 Solutions to Saturday Mac riddles 357 Painting Pandora and her box: 1883-1919 Painting Pandora and her box: 1550-1882 Saturday Mac riddles 357 Reading Visual Art: 250 Winged sandals The secret life of the xattr The macOS Natural Language framework and Nalaprop Medium and Message: Stained glass The MACL extended attribute Jerusalem Delivered: 13 Leading characters Solutions to Saturday Mac riddles 356 Privacy: How locations are protected Painting Spring blossom 2 Last Week on My Mac: Don’t be a victim of fraud Painting Spring blossom 1 Saturday Mac riddles 356 Explainer: Recovery Reading Visual Art: 249 Mask Naturalists: Urban poverty On Reflection: Cézanne Privacy: Which folders are protected in Tahoe? Medium and Message: Mosaic Jerusalem Delivered: 12 Delivery Solutions to Saturday Mac riddles 355 Centaurs 2: Revenge Centaurs 1: Fights Saturday Mac riddles 355 Explainer: sandboxes Naturalists: The modern meal Why you can’t trust Privacy & Security Apple has just released an update to macOS Tahoe, to version 26.4.1 On Reflection: Divisionism Please help update CPU frequencies for Apple silicon Macs Commemorating the centenary of the death of John Ferguson Weir Privacy: Files & Folders or Full Disk Access? Jerusalem Delivered: 11 Into Jerusalem Privacy: protected folders
Explainer: Disk encryption
hoakley · 2026-06-13 · via The Eclectic Light Company

This week’s news of deprecations in macOS is dominated by CoreStorage, and the consequent loss of access to HFS+ encrypted volumes. As it might seem odd that a part of macOS responsible for Fusion Drives should also affect encryption, this article tries to explain why, and where we’ve got to since.

In the Good Old Days, our Macs seldom contained anything particularly sensitive, and the few files that might hold private information could be encrypted on their own. Then came electronic banking, credit card and ID information, and crypto wallets, and we really needed to ensure they were properly protected.

HFS+

With the release of Mac OS X, its native file system HFS+ had no support for encryption. When Apple introduced its first version of FileVault to encrypt just the user’s Home folder in 2003, that had to be accomplished using an encrypted disk image. That not only caused problems with Time Machine backups, but its protection was easily defeated and the whole disk image decrypted.

The first whole-volume encryption for HFS+ came in 2011, when Apple added support for a logical volume manager in CoreStorage, which implements encryption for HFS+. The second and more successful attempt at FileVault thus used HFS+ with whole-volume encryption in CoreStorage. Encrypted HFS+ has also been available for use on external storage, where it still depends on CoreStorage.

Encrypted HFS+ uses the XTS-AES mode of AES with a 256-bit key, with both encryption and decryption being performed by the CPU. Earlier Intel processors didn’t have instructions to accelerate that, and combination with hard disk storage imposed a noticeable overhead of around 3% on storage read and write. This was most apparent when encryption was first enabled on a volume, which could take many hours before its entire contents had been encrypted.

Among other features reliant on CoreStorage are Apple’s Fusion Drives, consisting of a larger hard disk with an SSD working together as a pair in tiered storage, introduced in late 2012. It appears that macOS Tahoe might have already discontinued support for Fusion Drives, although its diskutil command still claims to support them, and a recent support note doesn’t mention any limitations.

APFS

The next step was a file system that had encryption designed into it from the start, APFS, released in 2017. That was quickly followed by hardware support for encryption, first in T2 chips, then in Apple silicon chips from 2020.

What has been encrypted has also changed over time. The first FileVault only encrypted the contents of a user’s Home folder, but CoreStorage encrypts whole HFS+ volumes. Until macOS Catalina divided the startup volume into System and Data volumes in a boot volume group, FileVault encrypted both system and user files. From Catalina onwards it was thought that all volumes on the internal SSD were encrypted, but more recently it has become clear that has been limited to the Data volume, possibly since Big Sur.

The hardware that performs FileVault’s encryption and decryption is part of the controller for the internal SSD, and is outside the Secure Enclave, which is responsible for generating and protecting the keys used.

When you enter your FileVault password, that’s passed to the Secure Enclave, where it’s combined with the hardware key to generate the Key Encryption Key (KEK), and that’s then used together with hardware and xART keys to decrypt or unwrap the Volume Encryption Key (VEK) used for decryption/encryption.

apfsencryption1

APFS encryption more generally also uses separate VEKs and KEKs which are stored in and accessed from Keybags associated with both containers and volumes. The Container Keybag contains wrapped VEKs for each encrypted volume within that container, together with the location of each encrypted volume’s keybag. The Volume Keybag contains one or more wrapped KEKs for that volume, and an optional passphrase hint. However, because those Keybags are stored in the file system on the encrypted disk and not protected by a Secure Enclave, they’re inherently more vulnerable.

Future

Most recent is the threat posed by anticipated advances in quantum cryptography, which promise to break some classical encryption methods. At present, Apple considers that FileVault should remain robust because of its multiple layers of protection. However, it may be that doubling the key size from 256 to 512 bits is an appropriate defence for APFS encryption that doesn’t enjoy the protection of the Secure Enclave.

Further reading

A Brief History of FileVault
How keys are used in FileVault and encryption
macOS Tahoe extends quantum-secure encryption
Quantum-secure cryptography in Apple operating systems

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。