How to protect your Mac using FileVault 2 encryption

How to protect your Mac using FileVault 2 encryption

FileVault 2 can protect your drive's data by encrypting the data on your drive. Is it worth using?

An administrator password only goes so far to protect your Mac, but what happens if someone circumvents it or boots from another volume? The contents of your Mac will be vulnerable — unless you encrypt it. Fortunately Apple enables just such technology with FileVault 2 encryption, and it's built right into OS X Mavericks. Here's how to enable FileVault 2 encryption on your Mac.

FileVault 2 is whole-disk encryption for the Macintosh. The entire contents of your Mac's hard disk are encrypted using XTS-AES 128, a secure encryption algorithm. (The original FileVault, available for Snow Leopard, uses weaker AES 128 encryption.)

What you'll need to use FileVault 2

  • A Mac running OS X Lion 10.7 or later
  • A hard drive with Recovery Partition installed (to check, try rebooting your Mac with holding down the command and R keys).

How to turn on FileVault 2

  1. Click on the menu.
  2. Select System Preferences....
  3. Click on Security & Privacy.
  4. Click on the FileVault tab.
  5. Click on the padlock icon in the lower left hand corner.
  6. Enter your system password and click on Unlock.
  7. Click on Turn On FileVault.
  8. Write down or record the recovery key and store it in a secure location. This is a second-line defense if you should forget your system password, or if something goes wrong with that password. Then click the Continue button.
  9. You can optionally store the recovery key with Apple. If you do, you'll be required to enter three security questions to verify your identity, should you ever need it.
  10. Click the Restart button to restart your Mac, activate FileVault and begin the encryption process.
  11. After you restart, you'll be required to log in. Once you do, FileVault will begin to encrypt the information on your hard drive. It may take several hours depending on the performance of your Mac and the amount of data on you're encrypting.

The recovery key is absolutely vital — if you don't have this and something goes wrong with your Mac's system password, the data on your hard drive will be lost permanently. So make sure you've recorded it, or that you've stored the recovery key with Apple.

FileVault will encrypt files in the background. During the initial encryption process and thereafter, you'll be able to continue to use your Mac normally.

How to disable FileVault 2

To turn off FileVault, simply return to the Security & Privacy system preference, click the padlock, enter your system password and then click the Turn Off Filevault button. FileVault will decrypt the hard drive the same way that it encrypted it.

Who should use FileVault 2?

To be clear, FileVault isn't something that everyone needs to use. Unless you absolutely need to protect the contents of your hard drive outside of anything but the most intensive forensic recovery, FileVault may be overkill. But if the need is there, it's reassuring to know that it's there, and it's fairly easy to activate and deactivate as long as you follow the instructions.

Do you use FileVault? Will you? Let me know in the comments.

Have something to say about this story? Leave a comment! Need help with something else? Ask in our forums!

Peter Cohen

Mac Managing Editor of iMore and weekend Apple Product Professional at a local independent Apple reseller. Follow him on Twitter @flargh

More Posts



← Previously

How to free up iCloud storage space by deleting unused Documents in the Cloud

Next up →

MacBreak Weekly 400: The Return of the Rathole

Reader comments

How to protect your Mac using FileVault 2 encryption


What about performance? Aren't things slowed down with FileVault encrypting and decrypting everything as it is read from and written back to the drive?

I wonder (speculation) if we've gotten to the point where the CPU and, for many, SSD are fast enough that there is only a negligible and unnoticeable performance hit.

The first few months I had my rMBP (The Crystalwell version) I didn't enable FileVault on it. When I did the only noticeable difference to me was that the boot up screen changed to a lighter gray. Given I don't reboot a mac that often I would say I know no difference.

Have not noticed any slowdown after enabling FV2.
Not even when doing TimeCapsule or Carbon Copy cloner backups.
(Late 2013 MBP with default 256GB SSD.)

Also, I enable FV2 on all the USB flash drives I use.
No noticeable delay on mount / copy / delete / dismount.

The CPUs in use these days have special dedicated commands just for this type of encryption, the CPU load doesn't show any increase even when writing out large files on an encrypted system. I've used it since it came out on a 2010 iMac with no performance hit.

Note that if you turn this in you should also turn on encryption for your Time Machine backup. Perhaps an article on how to do that is in order.

I think it is the AES-NI feature (instruction set) in the last few generations of Intel CPUs that help speed this along.

Sent from the iMore App

I use FileVault 2 and I love it. Almost no performance hit and easy to set up and maintain. One thing to mention about FV2. If you setup boot camp and then try to delete the boot camp using the boot camp configuration, it will fail to resize your partition. You will have to disable FV2 first, then delete the boot camp install and it should then restore the previous partition sizes.

Sent from the iMore App

Quick question guys - hoping someone could help. We run OS X with Windows via VM Ware Fusion on our machines. We would only be wanting to excrypt certain folders rather than the whole system. Is there anything you guys would recommend for this? FileVault doesn't allow selective encryption i believe.

I'm unclear, based on what you've described, if the folders you want to encrypt are in the Windows virtual machine or on OS X.

Peter has a point. Whether the folders are in OS X, or with in the VM, Mac encryption and windows are probably not going to play nice. My method, in my other comment, is really only for Mac, but I assume it is possible to copy the ENTIRE vm to an encrypted dmg. Since it's just a folder. I honestly don't advise this. I don't know how parallels or VMware would handle it.

Perhaps a happy medium: I suggest you experiment by creating a small encrypted dmg, then see if you can share that dmg between OS X and the VM.

Hi guys, so sorry for not being clearer. Ok, basically where i work, we run around 30 Macs with VMWare Fusion running Windows 7. On the OS X side, we all have Dropbox which we use quite heavily. Seeing as though Dropbox is the only fileshare source that is not hosted internally, i was asked to encrypt (or find a solution) that encrypts our local OS X Dropbox folder. I am aware that dropbox encrypts all their files anyway, but my boss is looking for a second local layer of encryption. We could be moving to Bootcamping these systems later down the track meaning Dropbox would be stored on Windows, but for the time being, it is on the OS X side. So i was 'specifically' looking for a solution to Encrypt that folder. Hope this helps, and hope you can help :) AND thanks for replying.

To my knowledge, there is no way to individually select which folders to encrypt. You can, however, create a new Disk Image within your volume using the Disk Utility app, and encrypt that disk image. Now you simply put all the files you want to keep encrypted in that disk image. I don't know if this will work with your existing Windows folder, but I suppose it is possible to transfer everything in VM folder to the encrypted dmg. The big catch with this solution is that you are stuck with the size you initially choose, meaning you better make sure you allocate enough storage bc you can't make it bigger in the future. You also can't make it smaller, so make sure you have a large enough disk. You could, I suppose, when you're running out of space in that dmg, create a second larger disk image, transfer contents from A to B, then delete A. Also, now that I think about it, I assume Time Machine will have issues with this. IF it will back it up, it most likely will have to make a new copy every time, since TM likely can't read what's inside the encrypted dmg, but it will see that it was modified by the meta data of the image itself... Proceed at your own risk, and Good luck!

I haven't noticed a performance hit either but I'm not a power user.

Posted via the Android iMore App!

Is firevault 2 NSA/GCHQ proof? I know that technology exists but nobody uses it for some reason...

Peter might have added that the use of FileVault 2 disables "safe boot" and the recovery partition. This should not preclude the use of FileVault 2, but can cause problems when diagnosing computer problems.

Getting ready for a business trip to China next month. Who knows what might happen to my MBA going through customs over there (or coming back). FileVault 2 on!

Are you sure that the computer must have a recovery partition? I don't THINK I have one, but in know I've enabled FV2. I probably have a recovery partition, I suppose. I just know that I swapped the HDD for an SSD and installed fresh Mavericks from an ISO.

I just looked at Disk Utility, it shows my "120Gb" ssd as Capacity: 119.17Gb, Available: 16.8Mb, Used: 119.16Gb. This is with FV2 enabled. I don't think I have a recovery partition, unless it is inside the encrypted volume, which I would assume not. This is a 2010 Mac mini btw, with a DVD drive, so I installed mavericks from a DVD ISO I created, so I don't really need the recovery partition.

Actually, this is normal. The reason for this is because of FV, it encrypted the entire drive as one disk image. Within that disk, I have only used about 32Gb including OS.

Sent from the iMore App

I chose to use icloud password and not use a separate recovery key. Was this a mistake? It's not mentioned as an option anywhere online.

Yesterday, I began the filevault process and also had the same question. I called Apple and they stated that the iCloud option means that our Apple ID password will be used instead of a new recovery key.

They also stated that a 4 digit PIN would be generated; according to the advisor, I would have to enter the PIN when restarting/powering on and then my usual Admin password.

However, Yosemite never asked me to create a PIN and I simply entered my login/admin password when restarting once the Filevault 2 encryption process was complete. Go figure. I assume that, if I ever needed it, I would need my Apple ID password to access the Mac.

Note: if you choose the iCloud password (i.e., Apple ID password) option, the advisor stated that, if you change your Apple ID password in the future, the Filevault password will STILL be the OLD Apple ID password you used when first turing on FileVault. So keep your old Apple ID password! (I keep it in 1Password etc.).

This tutorial should be updated.