Hacker News new | past | comments | ask | show | jobs | submit login

A disadvantage of doing whole-level encryption is that you have to decrypt the entire file, even if all you want to do is read a few bytes near the end of the file. Similarly, you would have to re-encrypt most of the file if you wanted to write a few bytes near the start of the file.

For large files, the difference can be huge. That's why APFS supports both; it does block-level encryption by default, and users can choose to additionally encrypt files, at least that's what I make of https://developer.apple.com/library/content/documentation/Fi...:

"Encryption

Security and privacy are fundamental in the design of Apple File System. That's why Apple File System implements strong full-disk encryption, encrypting files and all sensitive metadata.

Which encryption methods are available depends on hardware and operating system support, and can vary for Mac, iPhone, iPad, Apple TV, and Apple Watch.

Apple File System supports the following encryption models for each volume in a container:

- No encryption

- Single-key encryption

- Multi-key encryption with per-file keys for file data and a separate key for sensitive metadata

Multi-key encryption ensures the integrity of user data. Even if someone were to compromise the physical security of the device and gain access to the device key, they still couldn't decrypt the user's files.

Apple File System uses AES-XTS or AES-CBC encryption modes, depending on hardware."




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: