Which way is more secure?

[sickamongthepure]

I'm wondering which way of deploying FileVault is more secure:

1. Turning on FileVault in System Preferences after installing macOS.

2. Before installing macOS make encrypted partition in Disk Utility and then install macOS.

What do you think?

[1dotd4]

It should encrypt automatically the partition before to install. Or it isn't?

[ghost]

I think he is asking about encrypting the drive from the recovery/bootable Installer (i.e. Disk Utility -> Erase > Mac OS (Journaled, Encrypted) versus erasing it regularly and then encrypting it during system setup (or some point later).

I actually had the same question and was wondering if anyone knew the advantages/disadvantages of both.

[felixgr]

I looked at the seeding of Apple's PRNG a few years ago. Things might have changed since then. Back then, the PRNG had more entropy available in scenario 1 because of the recent reboot. So, just based on that knowledge, scenario 1 seems more secure.

[walkky]

Is this still the case with Apple Silicon / M1-based MacBooks?

[Danrancan]

I looked at the seeding of Apple's PRNG a few years ago. Things might have changed since then. Back then, the PRNG had more entropy available in scenario 1 because of the recent reboot. So, just based on that knowledge, scenario 1 seems more secure.

I actually remember reading a blog post about this just over a year ago as well. The blogger agrees with you in that scenario 1 is the best way to go about it. However, if you create the encrypted disk before installation, doesn't that allow you to create two seperate passwords? One being specifically to unlock the encrypted drive and the other being to log in to mac os after unlocking it? If thats the case, I would say that scenario 2 supersedes scenario 1 even if it has less entropy, because it allows for multiple seperate passwords. Although, I could be wrong on all of this. Its been a while since I've done a clean install of MacOS.