<abathur>
if apple would give us a damn firmlink :]
<evelyn>
hmm, wasn't synthetic.conf them chucking us scraps
<abathur>
presumably, but the whole story still seems to suck wrt to full-disk encryption
<abathur>
perhaps we can play a tiny violin about how much we admire their implementation and promotion of best-practice user security standards
<evelyn>
hmm with encryption login hook worked OK for me
<abathur>
and that it's really freaking annoying to have to leave our nix partitions unencrypted or use a deprecated solution if we need something like, using ☐ some feedback mechanisms or scheduling mechanisms that help me avoid going 3 months without taking a backup at home just because it never prompted me at the right time
<abathur>
maybe jsut touch a file for the choice each time and report time since touch somehow? (maybe easier to inform me than to come up with the perfect scheduling regime)
<abathur>
ffs
<abathur>
sorry, I clicked paste rather than copy, that may be a mess
<abathur>
yep, definitely a mess
<evelyn>
login hook is deprecate?
<abathur>
IIRC, the login hook sounded like a good solution, but is also deprecated?
<evelyn>
oh! so adding a volume to it that isn't formatted as encrypted still means the entire drive is encrypted by the T2 (on computers that have it)?
<LnL>
yep
<LnL>
that has some caveats but assuming the bios isn't opened up there's to real concern for most people
<LnL>
no*
<LnL>
machines without a T2 is probably different, didn't really verify that
<evelyn>
hmm disk utility claims that the volumes that aren't /nix and /run are APFS encrypted, and also there is still an option in disk utility for enabling filevault even though the documenatiton suggests t2 macs encrypt automatically
<evelyn>
it's all quite confusing
<LnL>
yeah, encrypted vs encryption at rest
<__monty__>
Would be quite annoying if you suddenly couldn't access filevaulted backups because your now mac has a T2 though.
<evelyn>
I don't think it affects external volumes
<__monty__>
I assumed you were expecting for the option not to be there at all.
abathur has joined #nix-darwin
<LnL>
the former requires a key to make the T2 unlock the data while the later only needs the T2 and it's up to the recovery boot from apple to not just give access to the data
abathur has quit [Ping timeout: 240 seconds]
abathur has joined #nix-darwin
philr_ has quit [Ping timeout: 256 seconds]
kalbasit has quit [Ping timeout: 256 seconds]
kalbasit has joined #nix-darwin
rizary has quit [Ping timeout: 272 seconds]
manveru has quit [Ping timeout: 252 seconds]
elvishjerricco has quit [Ping timeout: 265 seconds]
wildsebastian has quit [Ping timeout: 272 seconds]