T2 / M1 Macs & APFS Time Machine encryption

Something @ismh said in this episode had me puzzled regarding T2 equipped Mac’s forcing encryption on Time Machine backups.

If I recall correctly, the encryption key for APFS encrypted volumes is held in the T2 chip so if you loose the chip you loose the data.

Does this mean that if you have a T2 or M1 Mac backing up via TimeMachine to a USB disk using an APFS file system; if that Mac is lost / destroyed etc. you would NOT be able to use your USB disk TM backup to restore to a replacement machine??

That would seem to be a bit of an oversight if it is the case so I’m presuming I’m missing a bit of info and it won’t be the case at all… but I’d rather like to know for certain before ending up in a scenario where I have to test this out the hard way! :wink:

I haven’t done (or even really looked into) APFS TimeMachine backups, but I do have APFS encrypted external SSDs and they have no problem being accessed by different T2-based Macs.

If I recall correctly, the key used to encrypt the internal SSD on T2 Macs is unique to a given T2 chip and that all APFS volumes on the internal SSD have their encryption keys derived from it. If you enable FileVault on such a system, the T2 key itself is encrypted using a key derived from (at least partly) your password.


That’s good to know, I had wondered if the encryption works slightly different for external disks than it does for internal ones, your experiences would seem to support that theory.
Cheers :slight_smile:

1 Like