WWDC 2017 Apple File System Lab

These questions are community-driven. I am also not the original questioner, I'm just posting them with permission. Thank you to the anonymous folks who helped gather this information.



Question: Will ASR continue to function with APFS? If not, will imaging via HFS+ (possibly converting to APFS afterwards) continue to be supported moving forward?


Answer: Yes, ASR will continue to be supported.



Question: Is fdesetup going to be the tool for interacting with APFS encryption, or will there be a new command line tool for managing APFS encryption? If there's a new tool, what is it?


Answer: Yes, fdesetup is still the tool to use going forward.




Question: Will the APFS per-file encryption / per-metadata encryption / per-extant encryption mechanisms each need their own recovery key?


Answer: Full Volume Encryption for FileVault. Unclear on whether there are recovery keys when using e.g. per file encryption.




Question: Can APFS recovery key(s) be escrowed when enabling encryption? The goal is to store the recovery key(s) somewhere for later recovery by the company / institution which is managing the encrypted machine.


Answer: The people who know the answer to that aren’t here today.




Question: How closely will the the unlocking mechanism and escrowing of encrypted APFS emulate what we have today in FileVault 2?


Answer: Basically the same from the user level. Same recovery keys, same unlocking mechanism.




Question: On a Mac with encrypted APFS, are we still getting the same EFI-based FileVault 2 unlock screen at boot up?


Answer: Yes, need to unlock at EFI first. Works the same way as now.




Question: How does CoreStorage interact with APFS during the APFS conversion process?


Answer: Didn’t get a super detailed answer to this. Here’s what I got:


Convertor kicks in, in the talk the new metadata. Convertor will pause everything to make sure it has a stable environment to work with. Put new environment into free space on disk with dry config. Points superblock to APFS (away from core storage) when it’s done.


If you use diskutil command line, can’t have multiple Logical Volumes inside one.


If you have multiple volumes, that’s unsupported right now and you might have issues. They might convert at least one, but it might also fail. If you have a use case where you’ve created LVGs with multiple LVs inside, and would like conversion to support that, please file a radar.




Question: Will Disk Utility be able to unlock encrypted APFS volumes? Decrypt encrypted APFS volumes?


Answer: Yes




Question: AFP as a file sharing protocol has been deprecated quite some time ago. Going forward, APFS formatted volumes will not be able to offer AFP file sharing services. However it looks as if APFS clients can still connect to AFP volumes. I wonder how this behavior will stand the test of time over the coming years and macOS iterations.


Answer: AFP does not work in server mode on APFS volumes, but the AFP client does work on High Sierra, even when running on an APFS volume. Can’t comment on whether this will be supported in the future (past High Sierra). Strong recommendation is to get off AFP and moving to SMB.




Question: Are there plans to migrate user data/ the /Users folder to a separate data container on conversion from HFS+ to APFS or any sort of data manipulation such as that?


Answer: No further segmentation. After conversion you end up with a single APFS volume within a container.




Question: Is there a way to tell how much disk space individual APFS snapshots are using on a particular APFS drive? If there is, which tool can be used to see the individual snapshot disk space information?


Answer: Right now, no. File a bug if you’d like this functionality.




Question: Can snapshots be copied to other drives? Like if you have snapshots on Drive A, can they be backed up on Drive B and restorable?


Answer: At this point no, that’s in the works.



Question: Will you be able to use asr to block-level copy an APFS disk image? The APFS presentation alluded to only the installer being capable of this action.


Answer: This doesn’t work as of now. They’re working on it


Answer: It’s possible, but for bootable AFS, you have to go through the installer. High Sierra installer performs EFI firmware update needed to boot.


APFS containers can only exist inside partition maps. If you’re creating an APFS disk image, create a temporary disk image that’s been partitioned with 1 partition. Target disk mode, look at that APFS container. It doesn’t have enclosing GPT partition map, so you can’t just convert that partition into a disk image and use it directly. So you create a temporary disk image, then use ASR clone functionality between two block devices. Basically you’re take the existing APFS container and copying it inside this disk image. You end up with a bootable container with a single volume inside it, that gets copied into the disk image. When you restore that onto a system, it blows away what’s on the target system and replaces it with the contents of the dmg: container + APFS volume.




Question: There are already hints about SecureBoot in /usr/standalone/i386/SecureBoot.bundle - can any additional information be given about this?


Answer: They don’t have any additional information about this as this point


Answer: Can’t comment on roadmap/future features.




Question: During the APFS presentation it was alluded to that using APFS snapshots will require an entitlement. How should enterprise users be able to use this? Should each enterprise company reach out to Apple or will there be a way to use this if the device is enrolled in DEP?


Enterprise is interested in using snapshot ability to restore a device to the state it was in before being handed out to a user, suitable for updating, re-snapshotting, and then redeploying to a new user.


Answer: At this point it looks like one should get in touch with Apple Developer Relations team to discuss use cases


Answer: This is more of a question for the MDM/device management team. Was told to ask at that lab later.




Question: How closely will the the unlocking mechanism and escrowing of encrypted APFS emulate what we have today in FileVault 2?


Answer: “Not sure”, but can’t use fdesetup right now with dev preview.




Question: Will Disk Utility be able to unlock encrypted APFS volumes?


Answer: Yes.




Question: On a Mac with encrypted APFS, are we still getting the same EFI-based FileVault 2 unlock screen at boot up?


Answer: Yes. Exactly the same



Question: Do they expect to support the ability to deploy APFS chunks around? i.e. containers, snapshots, etc.? Will that be a supported method of getting stuff onto APFS machines?


Answer: After a volume is marked for snapshot rollback, it doesn’t change until it’s remounted - what happens if files are created on it before remount?




Question: Is there an “Erase all contents and settings” option for macOS, similar to what’s available on iOS?


Answer: Not at this point. “Can’t comment on roadmap items”


See complete list of session and lab notes here:

https://forums.developer.apple.com/message/234797

Replies

Awesome! Thanks Rich!

Rich,


This was updated Monday and there is a new "FDE Recovery Key Escrow Payload" for 10.13



https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html


C


PS thanks again for all your notes they are the best for those of us who cna't make it..