Regarding turning on MacOS' FileVault after it was not turned on for installation, it says here...
If FileVault is turned on later — a process that is immediate since the data was already encrypted — an anti-replay mechanism prevents the old key (based on hardware UID only) from being used to decrypt the volume. The volume is then protected by a combination of the user password with the hardware UID as previously described.
What kind anti-replay mechanism might this be? Would the old key have been salted with a random key that is then deleted and effectively replaced with the user password?
Would setting up FileVault at installation be more secure because it doesn't require an anti-replay mechanism? It sounds to me like it's similar to a routine change of password.