In a recent blog post, Kolide speaks about a recent update to OSQuery that will now correctly determine the difference between a modern Mac being encrypted vs. having FileVault enabled. Historically, those meant essentially the same thing. If your Mac was encrypted, it meant that FileVault was turned on. Ever since Apple started introducing the Secure Enclave on their Macs, however, that is no longer the case. All disks are encrypted, and that is not necessarily the same thing as having FileVault enabled.

Kolide briefly explains this in this section of their post -

Before the introduction of the T2 security chip, disk encryption was synonymous with FileVault configuration on macOS. However, with hardware encryption this distinction became multi-faceted. This nuance was particularly problematic for security agents that did not differentiate between a disk that was ‘encrypted’ and a device that had FileVault configured.

Luckily OSQuery is now updated to know the difference. Read their full blog post to find out more info.

One thing I wanted to add is why Apple does this. There are a few reasons why the disk is encrypted regardless of whether FileVault is enabled or not. There are many specific edge case reasons I won’t get into, but one of the biggest reasons is that it makes it much easier to erase the disk with this method. It also makes the process much more secure, without sacrificing speed. In fact, it’s significantly faster than it was historically.

With old systems, if you booted to a recovery mode, or an external disk, then erased the internal disk of a computer, you were essentially just telling the disk “this space is now available and can be written over”. The data wasn’t actually erased, and much if not all of it could be recovered if someone knows what they are doing and has the right tools. If you were selling a machine, for instance, this isn’t very good. You could tell Disk Utility to write zeros over the whole disk, but this was a very slow process since it literally has to write data to the whole disk before it’s complete.

With Macs using the Secure Enclave, and the whole disk is encrypted (again, even if FileVault isn’t enabled. Even if you don’t have a password on the machine at all) then all the machine needs to do to erase the whole disk securely is to erase the keys that were used to encrypt the disk. This effectively wipes the whole drive in a very secure way where the files are no longer recoverable and happens MUCH faster than writing zeros to the whole disk.

All of this is important to know, however, I would still strongly recommend just enabling FileVault on your machine. It adds a significant layer of security to your machine, and the overhead performance cost of doing so is completely gone on modern Macs. Additionally, you absolutely should never have your computer not have a password at all anymore.

Kolide provides a hosted OSQuery instance that provides fast and detailed insight into your endpoints and is built around user-focused security. Check out their product and other blog posts.