TinkerTool System 9 Help

The Pane APFS

Overview on APFS Volumes

As explained in the previous chapter, Apple’s File System APFS uses modern techniques for storage organization that can be confusing upon first look.

The sub-item Overview on the pane APFS tries to present the individual objects that have been created as part of APFS technology on the available hard disks, focusing on their hierarchical relationships. It shows the complete list of all APFS data structures on all disks currently attached to your Mac. By using the disclosure triangles in the column Object, the individual elements can be expanded and their parts can be reviewed. The following technical terms are used:

APFS containers are the physical sections on disk drives or SSDs that mark the “zones” on storage media where APFS is active.
Physical disks are one level below in the hierarchy, because an APFS container can be spread onto multiple physical storage units. In the default case, an APFS container is located on a single disk. However, it may also use multiple disks of a software RAID system, or it could be placed onto a Fusion drive, a composite of an SSD with a mechanical disk.
APFS volume groups are an option to collect multiple volumes within the same container into a single unit. APFS volume groups are capable of providing a feature called firmlink which means that a file can appear multiple times on volumes of the same group, but it is actually only stored once.
APFS volumes appear as separate entities that simulate classic disk drives. APFS volumes don’t need partitions. They can be added or removed at runtime, without stopping the operating system. Volumes within the same container share the same physical storage space, so each volume has virtually its entire container available. This means however, that the same used or free space may be counted multiple times. So a container of 1 TB that hosts 4 volumes provides virtually 4 TB, although only 1 TB is actually available. To avoid concurrency between volumes of the same container, it is possible for a volume to define a reserved space, a minimum of physical storage that is guaranteed to always be available for that volume, or a quota, a maximum of physical space that may be consumed even if more is available in the container.

The relationship between the different APFS object can be visualized as hierarchy

When you click on a line in the table, details about identification and size will be shown in a box at the lower part of the window. The table is updated automatically when connecting or disconnecting APFS disks. This also happens when you alter the APFS configuration, e.g. with Disk Utility. APFS volumes still appear in the table even when they are currently not mounted.

Please note that an APFS container can be spread onto multiple physical devices. This can be the case, for example, if a container is stored on an Apple Fusion Drive, a composite disk made by software, comprised of an SSD and a mechanical hard drive. For a Fusion Drive, the disk considered “faster” is shown with the type Main, the slower but bigger disk is marked as Secondary.

APFS volumes may have a special label that assigns this volume a particular task. This additional entry is called APFS role. At the moment, Apple uses the following types of roles:

System: volume for storing the operating system
User: personal home folders of users
Recovery: mini operating system for recovery
VM: swap space as part of the virtual memory management
Preboot: components to launch the operating system from encrypted volumes (e.g. the user interface of FileVault)
Installer: temporary storage of data that is needed during the installation of the operating system
Data: all mutable data of users and the operating system
Baseband: firmware for operating the radio hardware of mobile devices, only used by iOS or iPadOS
Update: an auxiliary volume which is used during processing of operating system updates
XART: an auxiliary volume which is used for transferring data to and from the secure enclave, e.g. fingerprint information
Hardware: an auxiliary volume that stores firmware for hardware components
Backups: a volume used as destination for Time Machine data
Enterprise: a volume used to store device data if the computer is enrolled in the remote management system of an organization
Prelogin: a volume that holds the mini operating system used by FileVault to control user logins before the actual (encrypted) operating system is started
Reserved: reserved for future types of use.

APFS Keys and Volume Ownership

APFS volumes can be encrypted. On modern Macintosh model series, the built-in flash memory is always encrypted by hardware, even if users aren’t aware of that and do not even know the actual key. In this case, the hardware must manage the associated keys or key parts and regulate access to this data in a secure manner. The Secure Enclave is used for this, a cryptographically protected high-security area within the processor, which is unique for each Mac and for which even Apple does not know all parts of the keys.

For each encrypted APFS volume, there is a list of users who are able to access the data needed to decrypt the volume. This is unrelated to file permissions. In addition to actual persons, institutional roles can also be registered in the list of accounts. For example, if FileVault is used on the macOS startup volume, not only local users can decrypt the volume. Alternatively, decryption is also possible using a recovery key, which was either given to an administrator as a text code during setup, or stored in Apple’s iCloud if desired. In this case, the FileVault recovery role is also listed as an apparent user in the key management list of an APFS volume.

TinkerTool System can retrieve a list of users or key access roles capable of decrypting a given APFS volume. To do this, perform the following steps:

Open the sub-item Keys & Ownership on the pane APFS.
Click List Volume Key Access Parties….
Select the desired APFS volume.

For each encrypted APFS volume, a list of users with key access is managed. Macs with Apple Silicon additionally maintain a volume ownership property.

As mentioned previously, the flash memory of modern Macs is always encrypted. For Macs with Apple Silicon, this fact is also used for further security measures. For such models, the notion of volume ownership is introduced. This term has nothing to do with file permissions or legal possession of the Mac. Among others, the following operations are blocked for all users who are not considered volume owners of the volume on which the affected macOS system is stored:

installing or updating macOS,
removing all user data while keeping the operating system, i.e. using the function Erase all content and settings,
changing the startup security policy.

This property appears in the column Volume Owner for each user who can decrypt the volume. Macs with Intel processors do not have this security measure.

Automatic Defragmentation

macOS is able to automatically defragment disks. Defragment means that the memory blocks that make up a single file are stored as close together as possible on the medium. They should not be in separate parts (fragments) that are far apart from each other. This way, the read/write heads of a magnetic hard drive have to move as little as possible when a file is read. This increases the perceived speed of hard disk access. The computer works faster. Fragments occur when files have to be enlarged and the necessary storage is already occupied by other files “behind” the occupied blocks. The defragmentation moves all blocks to a different location on the hard disk where there is just enough free space available at the moment to store all blocks one after the other, if possible.

With modern SSD storage media or flash memory, there are no read/write heads any longer. Each block can be addressed directly and be read at the same speed, no matter how far apart the parts of a file are scattered on the storage medium. Therefore it does not make sense to use defragmentation on such storage media. On the contrary: Since many or all blocks of a file have to be copied to another location during defragmentation and each memory block of a flash memory can only tolerate a limited number of write operations, wear and tear increases. The lifetime of the storage medium decreases.

Defragmentation may therefore only be used on conventional magnetic hard drives with read/write heads, not on SSDs.

Since Apple has stopped using magnetic disks in Macs for several years, automatic defragmentation is switched off for the APFS format by default in macOS. However, it can make sense to enable automatic defragmentation for external magnetic disks. The files are not defragmented at specific times, but only when necessary, namely when a file is large enough to make defragmenting worthwhile and only when this file has to be changed during an ongoing write process anyway.

Automatic defragmentation can be activated for APFS volumes and containers stored on magnetic disks

TinkerTool System allows you to verify on which APFS volumes automatic defragmentation is active. You can turn this feature on or off if you like. Perform the following steps to do so:

Open the sub-item Defragmentation on the pane APFS.
Click the button Update below the table.

Volumes located on SSDs or flash memory are automatically omitted from the table if this property could be detected reliably. However, there may be storage media for which, for technical reasons, it won’t be possible to determine whether storage is magnetic or using solid-state technology. You should be able to tell for yourself based on the volume name on which medium a volume is stored, ensuring defragmentation is only enabled for magnetic disks.

You can activate automatic defragmentation for a volume or container by setting the check mark in the respective table row. The changes will take effect as soon as you click Apply. If you enable defragmentation for an APFS container, it will only affect future volumes that will be created later on that container, not existing volumes.

Working with APFS Snapshots

The purpose of snapshots has been discussed in detail in the chapter for the pane Time Machine already. Each Local Snapshot of Time Machine is implemented technically by an APFS snapshot. However, the operating system is free to use these snapshots for purposes other than Time Machine as well. The sub-item Snapshots on the pane APFS gives you the opportunity to work with all snapshots, not only the ones in use by Time Machine.

However, Apple does not grant users the right to create new APFS snapshots on a volume at their own discretion. There is no official feature to initiate this process for a selected volume, unless this is performed by backup software which has explicit approval by Apple to do so. The user can produce new APFS snapshots only indirectly, by sending a maintenance command to Time Machine to create a Local Snapshot. However, this is naturally associated with the restriction that snapshots will be created on those APFS volumes only which are part of a Time Machine backup, and that snapshots will be created on all those volumes simultaneously.

If you like to create APFS snapshots in this indirect way, click the button Create new snapshots via Time Machine… in the lower left corner of the window.

APFS snapshots can be listed and deleted

To review the current snapshots stored for a specific APFS volume, perform the following steps:

Open the sub-item Snapshots on the pane APFS.
Choose the desired volume with the pop-up button Select APFS volume:.

The complete list of snapshots will then be shown in the table. When you click on a line in the table, more detailed information will also be shown in the box at the bottom of the window. You will see the name of the snapshot as it was assigned by macOS, a short numerical identification, also known as XID, and a unique identification in form of a UUID. The field private size indicates how much storage space the corresponding snapshot is actually consuming for itself. Virtually, each snapshot contains a copy of the entire volume for a particular point in time of the past, which is much more storage. However, the snapshot shares this storage with the current volume content or other snapshots. Such multiply counted storage is not actually used additionally, so it does not become part of the private size of a snapshot.

The notice Limiter is an indicator that macOS is also using this snapshot as additional marker to define the minimum size of the respective APFS container. The operating system is capable of changing the size of partitions in hindsight, without requiring to erase and to re-partition the entire disk. When using APFS, reducing the size of a partition means shrinking the APFS container included in that partition. Because multiple volumes and multiple snapshots may share the storage space of a container, shrinking can be a complex procedure. The “rearmost” APFS snapshot of the container determines the minimum size to which the container can be reduced. The detail box lists this furthest limit for each snapshot as tide mark.

When you have selected one or more snapshots in the table, the button Delete can be clicked to remove the respective snapshots immediately. The visible data on the APFS volume won’t change in any way. Only the possibility to travel back in time at the push of a button to an earlier state of the volume will be eliminated. The button Delete all… will remove all APFS snapshots from the volume after you have expressly confirmed this.

Copying APFS Data

macOS offers system features that make it possible to copy parts of an APFS hierarchy, i.e. containers, volume groups, or volumes, very rapidly. This quick-copy function is known as replication in this context. The resulting copies will match the originals with high fidelity. Each copy is an identical clone of the original and will also retain volume names. The unique identifiers won’t match, of course.

In detail, you can clone the following APFS objects:

an APFS container to another APFS container: the destination container is erased completely. However, this copy operation will only be possible if all volumes in the source container have individual APFS roles (see also the introductory section).
a volume group or a volume into a different APFS container: the affected volumes will be added to the destination container. This means no data will be erased.
a volume group into an existing volume: The destination volume will be erased. It must not be part of a different volume group already.
a snapshot of a volume into a different volume: here, the destination volume will also be erased. It is additionally necessary that the source volume is currently mounted.

It is possible to clone an entire installation of macOS. The operating system and your user data are stored in a volume group consisting of a volume with the role System and a volume with the role Data. If that system is currently running, there will also be a sealed snapshot volume for the system volume. At least two additional volumes with the roles Preboot and Recovery also need to be copied. TinkerTool System and macOS automatically detect whether you intend to replicate a macOS installation and automatically add the minimum set of volumes required. This is only guaranteed to work correctly if the following conditions are met:

If you like to clone the running system, select the snapshot of the System volume as source, and an empty APFS volume as destination.
If you like to clone another system, select its volume group as source, and an empty APFS volume as destination.

Unfortunately, a successful replication of all required macOS volumes does not always mean that the copy can launch correctly, or could launch on any computer. In particular, Macs with security chips may refuse to start up unless the operating system copy has not been activated once again via an Internet connection with Apple.

If the hardware is protected by an Apple security chip or an Apple Silicon processor, an additional authentication by a user account of the copied system may be required for startup.
If the hardware is protected by an Apple Silicon processor, it can be necessary to “over-install” the operating system with a matching version to re-bind OS and hardware. Your user data will remain intact.
If such a re-installation of macOS is required, Apple may not support this yet for all types of disk drives, firmware versions, and Macintosh models.

In all cases, source and destination must belong to different APFS containers. This means it won’t be possible to duplicate a volume within its container.

Perform the following steps to copy an APFS object:

Open the sub-item Copy on the pane APFS.
Choose the object that should be copied in the table Source. If desired, set a check mark at Copy snapshot instead of live volume additionally.
Select the destination where the object should be copied in the table Destination.
Click the button Copy….

While selecting source and destination, TinkerTool System will already show a message at the lower edge of the window that gives a preview which operation would be executed if you started the procedure. If data will be lost in the target container (because one or more volumes replace already existing volumes), you will be informed in a separate dialog and will have to confirm this. When copying a snapshot, you will also be asked about the snapshot’s name.

When the copying has begun, a dialog sheet will be shown which is filled with a report of the ongoing operations. After the copy procedure has completed, the report can be saved or be printed.

By clicking the Stop button, TinkerTool System can be forced to cancel the running copy operation. This is not recommended however, and should only be used in emergency cases. At the moment, macOS is not mature enough yet to handle an APFS volume copied “halfway”. In the destination container, the volume will appear as damaged item with a temporary name. In such a case it is recommended to restart the computer, and then to remove the affected volume from the destination container with Disk Utility.