I recently accompanied a friend to the Apple Store in Boston on a trip to pick up her new laptop. The Apple saleswoman said something about Apple recommending that you disable full disk encryption “unless you need it because you keep sensitive information on the machine because it slows it down.” Ever the IT guy, I questioned her immediately on that. I asked if Apple actually tells them to recommend that practice, and she confirmed. I couldn’t believe it.
I know that Apple uses Intel chips in their machines. I also know that every modern Intel chip Apple uses in the MacBook Pro line include a dedicated AES encryption acceleration instruction set called AES-NI. FileVault uses AES. With the crazy fast SSDs Apple puts in these machines, and the native AES acceleration built into the processor there’s no noticeable slowdown. I personally own a 2013 MacBook Air that includes AES acceleration, and I have FileVault configured for full disk encryption of the internal SSD. My SSD gets somewhere around 600-800MB/s read and write speeds. The only slowdown is when you first power on the machine after it’s been powered off. After you enter your password on the initial login, it takes about 15 seconds to unlock the drive and log you in. After that, no delays at all. Resuming from sleep is instant—log in and you get your desktop right away. No sluggish file copying, nothing.
Why would Apple recommend disabling a crucial security feature like full disk encryption when even older machines can run it with ease? It seems silly to me, especially with all the security risks we have these days.
Personally, I use full disk encryption on everything I own now. MacBook Air, the custom built “hackintosh” desktop at home, work laptop, even my NAS server at home. It slows things down a bit on the NAS (I lose about 20MB/s on what would be a 110MB/s transfer with encryption disabled), but not so much that I’m worried about it. It’s plenty fast enough for my needs.