Home Forums Hardware Mac Desktops & Notebooks iMac Pro and security

Very interesting: iMac Pro debuts custom Apple T2 chip to handle secure boot, password encryption, more

I must be missing something. What does Secure Boot solve, that I care for, as an end user?
Booting from an alternative drive has long been an important diagnostic feature. Booting with a non-latest OS may be an important compatibility feature; something important might break with only the latest. Booting from a non-Apple OS (Win/Lin) may also be a useful feature.

Like the now defunct hardware passwords on earlier Macs, the iMac Pro's Secure Boot does not prevent booting from another drive, it just adds an extra password step. It also takes at least some password technology out of software and transfers it to the arguably less vulnerable hardware hardware control.

Whether you would find it useful or not depends on you and how you use your Mac. Providing you keep no sensitive information on your computer such as identifications, passwords, financial data, sensitive project information, proprietary data, etc on your computer probably not much. My take is: given the increasingly hostile environment we call the internet and the target market for the new iMac Pro is the PRO user who, by definition, will often have such sensitive information on their machines, it sounds pretty attractive — but that is just my opinion.

Personally I think it would be even more useful on MacBooks and MacBook Pros because of their far greater vulnerability to physical theft. My question is how long before Secure Boot makes its way to the downmarket iMacs and MacBooks. It is only a matter of time before facial recognition will have spread from the iPhone X to every MacOS and iOS device with a built in display and Secure Boot seems a logical expansion of security.

It's mostly useful to those of us who use full disk encryption.

When you turn on disk encryption, the contents of your hard drive are encrypted using an AES key. This key is generated randomly, then encrypted using whatever password you set (contrary to popular belief, the password you set is not the encryption key; it's used to encrypt the encryption key), then recorded on the hard disk itself. That means if someone gets access to your computer, they can get access to the encryption key. They can't make use of it, because the key itself is encrypted, but if you chose a bad password, they might be able to break the key, and then get access to your hard drive.

The secure boot hardware moves the password off the actual disk and into a special high-security chip similar to the secure enclave in an iPhone. As several cases have shown, even a nation-level actor like the FBI or NSA can not extract information from this chip.

You can also set it up so that a hostile actor who has access to your computer can not boot your computer from his hard drive, potentially giving him access to your files (if they're not encrypted). Basically, if you turn on the secure boot option that prevents booting from another disk, a person who steals your computer will have an expensive paperweight.