/

How and Why to Enable FileVault Encryption on Your Mac

By on at @mggjim

FileVault Tips

Now that you’re set up with FileVault encryption on your Mac, you’ll want to make sure you’re taking full advantage of the protection that FileVault provides. First, don’t leave your Mac logged in and unattended in any public location. It’s a good idea to make sure that you configure your Mac to require a password when waking from sleep or a screensaver (you can do this in System Preferences > Security & Privacy > General), and you’ll want to get in the habit of fully shutting down your Mac whenever there’s a chance of unauthorized access.

The reason for the above precautions is that FileVault 2 is transparent to the user after an authorized log in. Your data may still be encrypted, but if you’re logged in with an authorized user account, anyone with physical or remote access to your system can see, edit, copy, or destroy your data just the same as you could. Securing the Mac with a screensaver or sleep password helps, but to fully “lock down” the encrypted drive, you’ll want to perform a complete shutdown.

Next, you’ll need to consider the protection of your backups. Your Mac’s system drive may be encrypted, but your backups may not be by default. If you’re using Apple’s Time Machine, you can easily rectify this by going to System Preferences > Time Machine > Select Disk and checking the box Encrypt Backups. If you’re using a third party backup solution, check to see if the software or service offers an option for encrypted backups.

How to Enable FileVault

Finally, for Macs with multiple user accounts, you can manage which users can unlock a FileVault-protected Mac. In our examples and discussions above, there was only a single admin user account. If a Mac has multiple user accounts, you’ll be prompted to choose authorized users when first enabling FileVault in System Preferences. Simply click the Enable User button and enter that user’s password for each account that you want to be able to boot and decrypt the Mac. Note that while these users will be able to decrypt the entire system drive, the standard OS X user protections remain in place, meaning that one user won’t be able to see another user’s non-shared data from the Finder.

Lock it Down

Not every user needs (or will be able to use) FileVault, but Apple’s whole disk encryption feature has many benefits and should definitely be considered by users with sensitive data (especially MacBook users frequently on the go). While no security scheme is ever completely guaranteed, with the right hardware and a proper backup solution FileVault can offer excellent protection for critical data via an easy setup process and minimal performance hit.

Those with multiple drives or non-standard drive configurations will need to look elsewhere for their encryption needs, but for most Mac users FileVault provides a great benefit with Apple’s usual “set it and forget it” configuration.

This article aimed to present a general overview of FileVault and why an average Mac user might consider enabling it. Those interested in a deeper technical discussion of FileVault encryption and deployment strategies can check out Apple’s FileVault 2 White Paper (PDF). There are also numerous independent analyses of FileVault’s encryption, including this 2012 paper (PDF) explaining how FileVault 2 can be defeated (don’t worry, it requires physical access to a logged-in Mac).

Finally, FileVault can be turned off just as easily as it can be turned on. If you’d like to disable FileVault, simply head back to System Preferences > Security & Privacy > FileVault, unlock the padlock with an admin account and password, and click “Turn FileVault Off.”

Want more tips like this? Sign up for the TekRevue Weekly Digest using the box below. Get tips, reviews, news, and giveaways reserved exclusively for subscribers.

Sign Up for the TekRevue Weekly Digest

Read more in OS X or Tips on TekRevue

  • fight.the.stupids

    Any issues with using Target Mode on a Mac encrypted with Filevault 2? For example, if a person wanted to use Migration Assistant and the current Mac is using Filevault 2, are you just required to put in one of the usernames/passwords? Or are you required to enter a Master Password? How does that work? Thanks.

    • http://www.tekrevue.com/ TekRevue

      I haven’t looked at this exact scenario since Lion launched but, as I recall, a migration with Migration Assistant should work just fine with the correct user account password (if migrating FV2 to FV2) or correct master password (FV1 to FV2). There have been some reports of issues after migration (“unable to log in to the FileVault user account”) but you can solve this by deleting the user account, leaving the user data intact, and then recreating a new user with the same name to point to the existing data. See Apple Support Article TS4184 for more on this.

      To verify this, I’ll enable FV2 on one of our MacBooks and do a test migration. I’ll report back if anything is different from my recollections. The data is encrypting now; should have results in a few hours.

      • http://www.tekrevue.com/ TekRevue

        Okay, so after testing it out, when you try to mount a FV2-protected Mac via Target Disk Mode, OS X will ask for an unlock password. This can be any password that was authorized to boot the Mac during FileVault setup. http://www.tekrevue.com/wp-content/uploads/2014/01/filevaultTDM.jpg

        Once the password is entered, the drive mounts and acts the same as any other external drive. As for Migration Assistant, it doesn’t look like FV2 settings are transferred over, so you’ll need to do that manually after the migration. So it seems to go: TDM old Mac to new > unlock old Mac with any authorized password > copy data unencrypted to new Mac > reboot new Mac and reenable FV2.

        • fight.the.stupids

          Thanks a lot for trying that out. Migration Assistant is a great feature and to be able still use it with FV2 is great.

  • Frederick D

    Great article. Thank you for the history lesson on File Vault 2 as well. It is good background information. What I have been using as an additional layer of protection is the SecuriKey Pro USB token. This works with a standard Mac or a File Vault 2 protected Mac to add two-factor authentication. Without the USB token it is not possible to log into the Mac, nor unlock the File Vault 2 encryption.

    It is very cool and easy to use.

  • greendrawer

    Really not sure why “you’ll need to remember your user account password or recovery key”
    qualifies as one of the reasons as to why Filevault 2 is “not perfect”. Especially as the “first and most important” reason as to why it’s not perfect (?)

    • http://www.tekrevue.com/ TekRevue

      “Not Perfect” means that new users will forever lose access to their data if they can’t remember an account password or recovery key. This is true with many encryption schemes (some use hardware keys like USB drives), but this article is targeted at new Mac or new FileVault users, and we were trying to stress the reality that data could be irrevocably lost without a password. A “perfect” scenario, which may not exist today, is one that protects user data without the risk of permanent loss (think future implementations based on fingerprints, DNA, etc.)

      The reference to not needing a separate password is just pointing out that you only need an account password, as compared to third party solutions that are often set up with their own passwords (although I suppose a user of something like TrueCrypt could set their encryption password to match their account password).

  • Alan Goldberg

    One of the things that put me off using FV1 was the performance hit that encryption made on video apps like iMovie.

    Have you done any testing to see the performance of video capture if you are storing your data files to the encrypted drive with FV2?

  • Paul Wasmund

    Have you done any recovery testing on Mavericks? I have been testing fileVault encryption and recovery procedures recently and while the standard schemes using the recovery partition and commands such as diskutil cs revert and diskutil cs unlockVolume work as expected on Lion and Mountain Lion recovery volumes, the same is not true using a Mavericks recovery volume. For example, I unlock the recovery keychain and try to mount a fileVault volume using

    diskutil cs unlockVolume lvUUID -recoverykeychain /path/to/recovery.keychain

    This hangs on Mavericks even though the exact same command works on older recovery volumes. No error is given, the command just puts up its indefinite character passed progress bar, asks for permission to access the private key in the keychain which is granted and never does anything else.

  • Sam

    I’m running Mountain Lion 10.8.5 on a MacBook Pro 13″. I have a FAT32 partition on my disk and don’t care if it gets encrypted or not. Will I run into problems enabling and using Filevault 2 on the main partition? I also use Parallels Desktop with Windows 7 & 8 virtual machines. Will these still work? I often use SuperDuper to create bootable USB backups. If my internal disk crashes, I can boot from an external USB backup drive and continue working until the internal drive is replaced and data is restored. Will my backup/restore scenario that I described above still work if I enable Filevault 2?

  • BruceWayne

    Great article. Very helpful to a casual mac user such as me. Informative and readable. Very much appreciated.

  • Veronica

    Is there anyway to retrieve my photos from File Vault 1 from an external hard drive? I had my computer wiped because I could not remember my File Vault password from two years ago. I backed up all my family photos (40,000 photos) onto my external hard drive before wiping my computer, through Time Machine. I am so sad that I cannot access my photos on the external hard drive now. How can I access them?! Any suggestions?

    • http://www.tekrevue.com/ TekRevue

      Is the Time Machine backup encrypted, too? If not, and if the drive still works, you should be able to restore from that backup using Migration Assistant. As the Time Machine drive now contains the only potential copies of your photos, I’d recommend paying the Apple Store a visit so that they can help guide you through the process.

      • Veronica

        The Time Machine backup is also encrypted :(
        I was at the apple store when I wiped my mac. There was some miscommunication, and I thought that my external hard drive safely stored all my photos. I am praying for a miracle! I am going to go visit the apple store again tomorrow. Thank you for your suggestion and for responding so quickly!

        • vampyren

          I know it wont help with your problem but I suggest you buy something like mSecure and save your passwords securely. It cost a bit but its priceless when you need to remember an important password. I have mSecure on my iphone, Mac and Android phone. It wasnt the cheapest solution or product but after several years those initial costs are meaningless. I have had so much use for this app that i cant be without it now. I save all my passwords for work, home, websites and much more in there. I wish you good luck at the Store …..