Use FileVault to Get Full Disk Encryption in Mac OS X
FileVault is an amazing disk level encryption feature that comes with Mac OS X. When it has been enabled, it encrypts everything, all disk contents, and actively encrypts and decrypts data on the fly, meaning any newly created data or document will instantly be encrypted as well. It’s fast and incredibly secure, using XTS-AES 128 encryption to keep things far out of the reaches of prying eyes.
Should you use FileVault or not?
FileVault is excellent and easy to use, and offers some enormous added security benefit, but it’s not for everyone. Most people just don’t need this intense level of security, and for many users going with a simple encrypted folder image for storing critical files is often a better solution. Whether or not you should use FileVault is entirely up to you and your individual security needs, but before enabling it, consider these two important considerations:
First, if you lose your password and the backup recovery key, your data is gone for good. That means your files could become unrecoverable, inaccessible – zip, gone, nada. This is because FileVault encryption is so powerful that nobody can break it in any reasonable amount of time (for earthlings anyway, 100,000 years is not reasonable). You can choose to store the recovery backup key with Apple, which helps to mitigate that risk a little bit, but that isn’t always an option for everyone. In other words, if you’re forgetful and prone to losing things, FileVault is probably not for you.
Second, because FileVault uses on-the-fly encryption, it can lead to a performance degradation on some Macs. This is particularly true older models and Macs with slower hard drives. For this reason, FileVault is best used on newer Macs, preferably those that are equipped with faster hard disks like SSD’s. SSD’s are quick enough that you’ll basically never notice the difference, whereas older 5400rpm drives can feel some delay, particularly when accessing larger files. If you really want fast performance with disk level encryption, FileVault is yet another great excuse to upgrade to an SSD, which are increasingly affordable and offer the best bang for the upgrade buck anyway.
If you’re comfortable with the password requirements, the recovery key, and have a speedy Mac for the best performance, and you feel like you need the utmost security on your Mac with disk level encryption, then let’s proceed to enable FileVault in OS X.
How to Enable FileVault Encryption on Mac
Turning on FileVault disk encryption is easy in Mac OS X:
- From the Apple menu open System Preferences and go to “Security & Privacy”
- Choose the “FileVault” tab and click the little lock icon in the lower left corner, then enter the administrator password
- Next, click the “Turn On FileVault” button to start the setup process
- Optional: if the Mac has multiple users or different user accounts, you will need to individually enable Filevault access for each user by entering that users password, this allows them to decrypt files not the disk – otherwise, those users will not be able to access the disk
- IMPORTANT: Make a note of the recovery key that is shown on the next screen and store it somewhere safe. This is the only way to regain access to the Mac if you forget the password – when finished click “Continue”
- RECOMMENDED: Choose “Store the recovery key with Apple” and answer the three questions, this is a backup plan of sorts in case you lose the recovery key, it allows you to contact Apple and get it from them
- When finished answering the questions and jotting down the Recovery Key somewhere safe, go ahead and click “Restart” to begin the drive encryption process
The FileVault recovery key is a 24 character alphanumeric password alternative that allows you to decrypt the drive in the event you forget a password. This is very necessary to store somewhere safe, because the typical methods of recovering Macs with forgotten passwords will not work, and it will otherwise be impossible to access data on the disk. It would be a good idea to store this somewhere physically accessible, like a safe, in addition to somewhere safe in the virtual world, be it in a password protected zip file in a web mail account sent to yourself, or somewhere else with multiple security layers that would make sense to store a set of random numbers. Just don’t make it too obvious, or else you’ll defeat the point of the encryption if anyone could find it.
For the highest possible security choosing “Do not store the recovery key with Apple” is valid, but for the average user that’s probably not a good idea. Thus, for the vast majority of average Mac users without incredibly high security needs (top secret data, super secrets, whatever), you are better off storing the recovery key with Apple.
After the initial reboot, things are going to be very slow while the hard drive and all contents are being encrypted. The best thing to do is just let this run and don’t use the computer, it seems to take between 5-15 minutes for every 50GB of used space on the drive, depending on the speed of the Mac and the speed of the drive itself.
Checking FileVault Encryption Progress
You can check the progress of the encryption by returning to the Security & Privacy preference panel and looking under the “FileVault” tab:
If you’re trying to find a specific process ID attached to encryption and decryption, it doesn’t really exist, instead the entire process is run under “kernel_task”, which is the Mac OS X kernel doing the work on both sides.
Disabling FileVault Encryption
Decided FileVault isn’t for you? You’re certainly not alone, and fortunately turning off FileVault is super easy, the only thing you’ll need is the administrator password and then follow these quick instructions:
- Go to System Preferences from the Apple menu and choose the “Security & Privacy” control panel
- Go to the “FileVault” tab, then click the lock icon in the corner to unlock the preferences
- Click the “Turn Off FileVault” button
FileVault will show a progress indicator as it decrypts the drive, and also will provide an estimated completion time. Typically this is about as long as it takes to encrypt the drive, so that could range from 10 minutes to 2 hours+, depending on the drive size, drive speed, and the speed of the Mac. It’s best to just let things sit while this happens, though you can use your Mac if you want to, performance may suffer a bit and feel sluggish with all the disk and CPU activity.
FileVault & General Security Precautions
Though FileVault is incredibly secure, it’s not a replacement for using traditional security measures as well. Always remember to lock your Mac when it’s not in use, and always password protect the Mac with screen savers and by requiring passwords on login and during system boot. Because backing up data is incredibly important, it can also be a good idea to encrypt external drives as well as protecting your Time Machine backups, particularly if they store sensitive data or documents from the primary Mac. Obviously there’s little point to having a very secure primary Mac but backups that are open for anyone to snoop around in should they come across them.
Is this all necessary for the average user? Probably not, but ultimately you will need to decide on what security precautions to take for your specific needs.
Some users may experience a Filevault stuck on “Encryption Paused” error situation. If this happens to you, updating OS X to the latest version available tends to resolve the problem, though sometimes to get around FileVault Encryption Paused messages you need to boot the Mac from a USB volume, unlock the drive (disabling Filevault), rebooting again, then re-enabling FileVault again.
Some users may need to run fsck on the volume as well:
Let us know in the comments if you have other tips and tricks with Filevault, and for troubleshooting!