Question:
Can an APFS container span multiple physical devices?
Answer:
Not right now. Apple's looking at that, in relation to Fusion drives. No RAID or RAID-like support is planned for APFS.
Question:
How does CoreStorage interact with APFS during the APFS conversion process?
Answer:
The plan is to have the APFS conversion process read the Core Storage plus HFS+ metadata and convert them to an APFS container. For encrypted Core Storage volumes, you will likely be prompted for an account password or recovery key before the conversion process begins.
Question:
Is fdesetup going to be the tool for interacting with APFS encryption, or will there be a new command line tool for managing APFS encryption? If there's a new tool, what is it?
Answer:
To be determined because Apple still looking at this.
With regards to encryption, Apple has started work on this part of APFS but the work is not yet complete.
Question:
Can APFS recovery key(s) be escrowed when enabling encryption? The goal is to store the recovery key(s) somewhere for later recovery by the company / institution which is managing the encrypted machine.
Answer:
Recovery key escrow is planned, but not yet implemented.
Question:
Can the per-file encryption mechanism be set up with an escrowed recovery key?
Answer:
This is similar to how iCloud backup works on iOS now. iOS devices have per-file and per-metadata encryption already in place. Each file has its own encryption key. The iCloud backup process has access to the unlock keys stored in iCloud, which in turn allows the raw data to be backed up to iCloud and allow backups to the iCloud service.
When you restore from an iCloud backup, the recovery key is also wrapped using your current Apple ID password and that unlocks the backup when it comes back down from iCloud.
Question:
How closely will the the unlocking mechanism and escrowing of encrypted APFS emulate what we have today in FileVault 2?
Answer:
User interface and escrow are still being worked out by Apple.
Question:
Are we still getting the same EFI-based FileVault 2 unlock screen at boot up?
Answer:
User interface is still being worked out by Apple.
Question:
How will Disk Utility interact with APFS encrypted volumes?
Answer:
Disk Utility doesn't work currently in Sierra DP 1. All APFS-related work should be done currently via the diskutil command line tool.
Question:
Will Disk Utility be able to unlock encrypted volumes? Decrypt encrypted volumes?
Answer:
No plans to support decryption via Disk Utility (similar to how it works in OS X El Capitan). Command line tools will need to be used for decryption (likely via diskutil apfs)
Disk Utility will be able to unlock encrypted volumes.
Question:
Is there any documentation for APFS encryption available beyond what's included in the current APFS overview?
Answer:
Documentation about encryption will be included in the format spec documentation. That documentation is still in development and will be ready for release when APFS itself is ready for release.
Further observations:
APFS is not ready for release and Apple is still working on it, as evidenced by the answers to several questions above. In particular, they have not yet gotten a full stack implementation working for the encryption portion of APFS.
Apple is talking about APFS now so that folks will begin testing it and finding issues with it. My assumption is that attendees at WWDC 2017 will be able to get full answers to many issues which are currently in the "To Be Determined" category.
See complete list of session and lab notes here:
