top of page
Search

Understanding Partitioning Schemes, FileVault 2 and macOS Encryption: A User-Friendly Guide

  • Mar 31
  • 6 min read

When it comes to Mac systems, partitioning schemes play a crucial role in organizing data, managing storage, and ensuring smooth system operations. Whether you're installing macOS, working with external drives, or handling disk images, understanding these schemes can help you navigate storage management more efficiently.



The Three Main Partitioning Schemes

Mac systems primarily use three types of partition schemes:

  1. GUID Partition Scheme (GPT) – The default for modern macOS installations.

  2. Apple Partition Scheme (APM) – Used mainly on older PowerPC Macs.

  3. Master Boot Record (MBR) – Mostly found on external drives and Windows-compatible disks.


GUID Partition Scheme (GPT) – The Modern Standard

Intel-based Macs (since 2006) and ARM-based M1/M2 Macs


The GUID Partition Table (GPT) is the standard. It allows:


  • Larger disk sizes compared to older schemes.

  • Up to 128 partitions (as opposed to MBR’s limit of four primary partitions).

  • Unique identification (GUIDs) for disks and partitions, making them easier to manage.

  • Backup of partition tables, which enhances reliability in case of corruption.


With Apple’s newer macOS versions, GPT remains the backbone of partitioning, even as Apple transitions from EFI (Extensible Firmware Interface) to the “Apple APFS iSC” system for ARM-based Macs.


Apple Partition Map (APM) – The Legacy Scheme

Before Intel Macs came around, PowerPC-based Mac systems relied on the Apple Partition Map (APM). It worked fine for its time, but it had limitations, such as smaller disk size support. Since modern macOS versions no longer support APM for bootable drives, it’s mostly a relic of the past.



Master Boot Record (MBR) – The Windows-Friendly Option

MBR is a partitioning scheme commonly associated with Windows and external drives. While macOS can read and write to MBR-formatted disks, it isn’t used for booting macOS. It has significant limitations:

  • Maximum of four primary partitions.

  • Doesn’t support large storage devices as effectively as GPT.



How macOS Structures Storage with APFS

Apple’s APFS (Apple File System) introduced a new way to manage disk partitions. While it still uses GPT, the way macOS organizes volumes has changed significantly. Here’s a typical structure:

  • /dev/disk0 – The physical drive.

  • /dev/disk1 – The APFS container that holds multiple volumes:

    • /dev/disk1s1 – OS Volume (user data and system files).

    • /dev/disk1s2 – Preboot Volume (boot-related data).

    • /dev/disk1s3 – Recovery Volume (for troubleshooting and reinstalling macOS).

    • /dev/disk1s4 – VM Volume (swap space and hibernation data).



macOS Catalina (10.15) and Beyond

Starting with macOS Catalina, Apple split the system into two separate partitions:


  • System Partition (Read-Only, Mounted at ‘/’) – Stores macOS core files.

  • Data Partition (Mounted at /System/Volumes/Data/) – Stores user files and applications.


This change mirrors how iOS devices handle system and user data separately, improving security and stability.


macOS Big Sur (11.0) and Later – APFS Snapshots

Apple took it further by introducing APFS snapshots in macOS Big Sur. Instead of directly modifying the system partition, updates are now applied to a snapshot, ensuring safer and more reliable system updates.

The key difference:

  • The actual system partition is now a sealed APFS snapshot mounted at ‘/’.



Understanding Disk Images (.DMG Files)

Mac users frequently encounter DMG (Disk Image) files, used for installing software and storing disk copies. These images can use various partitioning schemes, including:

  • GUID Partition Scheme (common for system images and large software installations).

  • Apple Partition Scheme (for compatibility with older Macs).

  • MBR (for cross-platform use).

  • No partition at all (for simple data storage).


Disk images can also include encryption and compression, making them flexible for security and storage management.


Sparse Images and Sparse Bundles

Mac’s Legacy FileVault encryption uses two types of disk images:


  • Sparse Disk Image (.sparseimage) – A single growing file that expands as needed.

  • Sparse Bundle (.sparsebundle) – A collection of smaller files, more efficient for backups.


These can be created and managed using Disk Utility or the hdiutil command.



Useful macOS Disk Commands

Mac includes powerful terminal commands for managing partitions and disk images:


  • diskutil list – Lists all disks and partitions.

  • diskutil info /dev/disk(X) – Provides detailed information about a disk.

  • hdiutil create -help – Displays available options for creating disk images.


These commands help with troubleshooting, formatting, and analyzing disk structures efficiently.


When it comes to securing your Mac, FileVault 2 is Apple's built-in full-disk encryption solution, introduced with macOS X Lion.

What is FileVault 2?

FileVault 2 encrypts your entire disk (except for the EFI and Recovery partitions), making sure that even if someone gets hold of your Mac, they can't access your files without your password.

During setup, macOS presents a recovery key, which you can store with Apple or keep for yourself.

This key is crucial—it’s the only way to regain access if you forget your password.


Enterprise-Level FileVault 2 Management

If you're in a business or IT environment, you might need extra tools to manage FileVault 2 across multiple devices. Here are some popular ones:



Legacy FileVault (The Old Version)

Before FileVault 2, there was the original FileVault, now called Legacy FileVault, introduced in macOS 10.3. Unlike FileVault 2, it only encrypted your home directory, leaving everything else exposed. It stored the encrypted data in a sparse disk image, which wasn’t as secure or efficient as modern full-disk encryption.



Encryption on T2 and M1 Macs: A Built-in Shield

If your Mac reports “Encrypted at Rest,” it means your T2 or M1 Mac is already hardware-encrypted, even if FileVault isn’t enabled. This provides an extra layer of protection, ensuring your data remains safe.



CoreStorage: Apple’s Virtual Volume Management

CoreStorage is Apple's way of managing virtual disk volumes and plays a key role in FileVault 2 encryption. Here’s a quick breakdown:


  • Logical Volume Group (LVG): The top-level structure, linked to a physical disk.

  • Physical Volume (PV): The actual disk or disk image (can span multiple disks, like in Fusion Drives).

  • Logical Volume Family (LVF): Contains one or more Logical Volumes.

  • Logical Volume (LV): The place where your file system lives.


In macOS 10.10 and later, CoreStorage is enabled by default on new installs, but it doesn't necessarily mean encryption is turned on.



Checking Your Disk Encryption Status

To see whether your Mac is encrypted, use the diskutil command:

diskutil cs list
This command lists all CoreStorage Logical Volume Groups and their encryption status. If the output shows AES-XTS encryption, that means FileVault 2 is protecting your data.


Exploring Disk Partitions with Disk Utility

Want to check your partitions?


Run:

diskutil list

This command shows all your drives, their partitions, and their unique disk identifiers (formatted as disk#s#).


You can also use Disk Utility.app (found in /Applications/Utilities/) to view and manage partitions visually.

APFS and FileVault 2: A New Era

With the introduction of APFS (Apple File System), storage is now more flexible, allowing multiple volumes within a single container. Here’s how it works:


  • APFS Container: The main storage unit.

  • Container Disks: The logical disks within the APFS container.

  • Physical Store Disks: The actual hardware (SSDs, etc.).


Each APFS volume has a role (e.g., Preboot, Recovery, VM, or the main OS volume).


FileVault 2 encrypts only the OS/User volume while leaving Preboot, Recovery, and VM unencrypted.

The Sealed System Volume (SSV): Next-Level Security

Starting with macOS 11, Apple introduced Signed System Volume (SSV), adding cryptographic protections to prevent unauthorized system modifications.


If you see the term “broken” in diskutil output, don’t worry—it’s normal! It just means that macOS is using a sealed snapshot for security.

Fusion Drives and Encryption

Some Mac models (like late Mac Minis and iMacs) come with a Fusion Drive, which combines an SSD and HDD for better performance. Even in these setups, CoreStorage helps manage storage allocation, ensuring frequently used files remain on the SSD for faster access.


DIY Fusion Drive Example

Here’s an example where two USB thumb drives were combined to create a Fusion Drive:


  • /dev/disk4: ~32GB

  • /dev/disk6: ~8GB

  • /dev/disk7 (MacHD_FUSION): The combined single partition


Even though this is an unencrypted CoreStorage setup, FileVault 2 can still be enabled for added security.

-----------------------------------------------------------------------------------------------------

Final Thoughts

Mac’s partitioning schemes have evolved significantly, from APM to GPT, and now to APFS-based containers. Understanding these changes helps users better manage their storage, troubleshoot issues, and optimize performance. as well as With built-in encryption on newer Macs and the flexibility of APFS and CoreStorage, Apple continues to enhance security while keeping things user-friendly.


Have you enabled FileVault 2 on your Mac? If not, now’s a great time to take that extra step in securing your data!

------------------------------------------Dean----------------------------------------------------


 
 
 
bottom of page