What is FileVault and is it right for you?

If you've heard about data encryption, you may have wondered if encryption is something that you'd want to implement for your own data and computers. You might be on the fence on whether you should or shouldn't encrypt your data in this post-Snowden age. Or, you might be a health or business professional wanting to safely store client information. What ever your reason, Apple provides data encryption on macOS and Apple calls it FileVault. We're here to help you see if data encryption and FileVault is right for you.

What is data encryption

As a primer, encryption is the ciphering or scrambling of of your data in such a way that the only way to decipher or unscramble your data would be if you were in possession or have knowledge of the proper deciphering mechanism. It can be in the form of a key, long passcode, portable RFID chip or a combination.

What is FileVault

FileVault is Apple's implementation of encrypting your data on macOS and Mac hardware. It will encrypt all of your data on your startup disk (although you can also encrypt your Time Machine backups as well) and once enabled, it will encrypt your data on the fly and will work seamlessly in the background. It forces all uses to have to re-enter their password when waking from sleep or a screensaver and any non administrator accounts will require an administrator to log them in on first login to enable the encryption.

How does FileVault work

Enabling FileVault will prompt you for a password and you'll then have a choice to create a Recovery Key. or to be able to use your iCloud account as a cipher. The Recovery Key is the cipher that can be used to decrypt all of your data whether it be on your computer or if you put your hard drive in a new Mac. It is imperative that your Recovery Key be stored in a safe, non-local location such as a safe, safety box or cloud storage location such as 1password or iCloud. The iCloud account is less secure in the sense that your iCloud cipher is stored online and at least part of the cipher information is visible for all to see (i.e. your iCloud account). More on this below.

Why would you want to enable FileVault

If you have sensitive information on your Mac, such as patient information, industrial blueprints, or intellectual property you might want to consider using FileVault to encrypt your data. Perhaps you often travel with your MacBook and have personal information on it such as credit cards or bank information. Just having a strong password is not enough if you've physically lost your device. Swapping your hard disk into another PC, Mac or linux computer allows for direct data access if the contents are not encrypted.

Drawbacks of FileVault

There are some caveats when it comes to enabling FileVault.

First, encryption does take a toll on system resources. Mind you, todays, Macs are very powerful and the processor usage is negligible when encrypting and decrypting data on the fly. However, some older macs like my 2010 MacBook Air, has noticeable hiccups when opening and closing programs and files. As a result, my battery life is also affected.

Second, and we've made reference to this earlier, your Recovery Key must never be stored on the local disk exclusively. If you lose or misplace your Recovery Key, and you need to restore your data from backup or to another Mac due to hard drive failure, your data is gone forever. Apple does not have a backdoor or secret way to unlock your data. You are solely responsible for safeguarding your Recovery Key and making it available for restoration purposes. If you by chance use the iCloud option as a cipher for your encryption, then you'll have some help from apple in terms of requesting a password reset. However, this is inherently less secure in that you're placing your trust in Apple to make certain no one gets access to that cipher online.

Who might not want to enable FileVault

If you're the type of person that is less concerned with securing your data, but is more concerned with being able to restore lost data easily, then enabling FileVault might not be for you. Some non-power users simply store photos, music, or videos on their Macs and as such, the stress of not being able to recover your data due to a misplaced Recovery Key or a forgotten iCloud account name or password might outweigh the security aspect. Also, if you believe that encrypting and decrypting data on the fly on your Mac may prove to resource intensive, you might want to forego enabling FileVault until such time that your system specs can run FileVault with out a noticeable hit.

Encryption and backups

I was an IT and security administrator for many years. Most end users never truly understood that backups were not the be-all end-all of keeping your data protected. What most end users do not realize is that it's the recovery process that is much more critical and much more difficult than the backup process. Just because you've backed up your data, doesn't mean you'll be able to restore your data. Adding encryption on top of this stressful and critical process can prove to be overly complicated and difficult for what your data is worth. Rene wrote an excellent article describing this very scenario and the take away is that encrypting is not yet for everyone.

Enable FileVault

If you're ready to enable FileVault, follow our detailed guide or follow these quick steps.

  1. Launch System Preferences.
  2. Select Security & Privacy.
  3. Click the Lock icon to enable changes.
  4. Read the WARNING.
  5. Click Turn On FileVault.
  6. You must make a choice on whether you want to use your iCloud account as a key to unlock your encrypted disk or to create a recovery key. If you plan on having highly sensitive data that you want to ensure that no one but you can get access to, the select to create a recovery key. Otherwise choose to Allow my iCloud Account to unlock my disk.
  7. If you've chosen to create a recovery key you must store it in a safe place not on your hard drive where you'll be able to retrieve it for recovery purposes. Other wise your data will be unrecoverable.

The encryption will run in the background in realtime. You'll be able to use your Mac as you normally would in the meantime.

Disabling FileVault

Once your entire startup disk has been encrypted, you can at anytime turn off FileVault by selecting Turn Off FileVault in system preferences if you find it being too system resource intensive or if you don't think you need that level of security.

Anthony Casella