FDE & you want to boot that disk on another machine
“ T2 doesn't just "make the Mac secure" - it also prevents any type of external backup service outside of Apple's walled garden.
For example: a normal computer - you can boot up on Linux and capture a full dd image. “
For free I can use apples backup solution to back my data up to an attached disk or Nas, I can use carbon copy cloner, super duper, iCloud google drive etc.
So you want FDE on your boot disk and want to boot that disk on other machines.
How about take an encrypted backup of you data for restore on another machine?
macOS stores it’s system volumes in a sealed apfs volume, there is no need to back that up, just install a fresh version. You’ll want to keep a copy of the data volumes as that contains user data.
You can configure, in the gui, the Mac to boot off any external volume you want even unix or windows, effectively instructing T2 to not enforce secure boot.
If you leave things as default, enable FDE & secure boot on, then you’ll need that Mac with its T2 to read its internal storage.
I’m not seeing the problem here as that’s totally desirable, with the option to reduce the security if required.
With the sealed system volume, malware would need to run on T2 & could discover the users encryption key for later unencryption of the data volume on that machine with its T2 chip, so needs 2 visits to that machine to get its data.
If you could copy the encrypted volume as you suggest it’d be possible to unencrypt the data offsite once the key was known making detection of something murky going on harder.
The T2 exploit still makes it hard to get at the user data on its encrypted volumes.
are other solutions more resilient in this aspect?
Is bitlocker more secure?