Use FileVault to Get Full Disk Encryption in Mac OS X
FileVault is an amazing disk level encryption feature that comes with Mac OS X. When it has been enabled, it encrypts everything, all disk contents, and actively encrypts and decrypts data on the fly, meaning any newly created data or document will instantly be encrypted as well. It’s fast and incredibly secure, using XTS-AES 128 encryption to keep things far out of the reaches of prying eyes.
Should you use FileVault or not?
FileVault is excellent and easy to use, and offers some enormous added security benefit, but it’s not for everyone. Most people just don’t need this intense level of security, and for many users going with a simple encrypted folder image for storing critical files is often a better solution. Whether or not you should use FileVault is entirely up to you and your individual security needs, but before enabling it, consider these two important considerations:
First, if you lose your password and the backup recovery key, your data is gone for good. That means your files could become unrecoverable, inaccessible – zip, gone, nada. This is because FileVault encryption is so powerful that nobody can break it in any reasonable amount of time (for earthlings anyway, 100,000 years is not reasonable). You can choose to store the recovery backup key with Apple, which helps to mitigate that risk a little bit, but that isn’t always an option for everyone. In other words, if you’re forgetful and prone to losing things, FileVault is probably not for you.
Second, because FileVault uses on-the-fly encryption, it can lead to a performance degradation on some Macs. This is particularly true older models and Macs with slower hard drives. For this reason, FileVault is best used on newer Macs, preferably those that are equipped with faster hard disks like SSD’s. SSD’s are quick enough that you’ll basically never notice the difference, whereas older 5400rpm drives can feel some delay, particularly when accessing larger files. If you really want fast performance with disk level encryption, FileVault is yet another great excuse to upgrade to an SSD, which are increasingly affordable and offer the best bang for the upgrade buck anyway.
If you’re comfortable with the password requirements, the recovery key, and have a speedy Mac for the best performance, and you feel like you need the utmost security on your Mac with disk level encryption, then let’s proceed to enable FileVault in Mac OS X.
How to Enable FileVault Encryption on Mac
Turning on FileVault disk encryption is easy in Mac OS X:
- From the Apple menu open System Preferences and go to “Security & Privacy”
- Choose the “FileVault” tab and click the little lock icon in the lower left corner, then enter the administrator password
- Next, click the “Turn On FileVault” button to start the setup process
- Optional: if the Mac has multiple users or different user accounts, you will need to individually enable Filevault access for each user by entering that users password, this allows them to decrypt files not the disk – otherwise, those users will not be able to access the disk
- IMPORTANT: Make a note of the recovery key that is shown on the next screen and store it somewhere safe. This is the only way to regain access to the Mac if you forget the password – when finished click “Continue”
- RECOMMENDED: Choose “Store the recovery key with Apple” and answer the three questions, this is a backup plan of sorts in case you lose the recovery key, it allows you to contact Apple and get it from them
- When finished answering the questions and jotting down the Recovery Key somewhere safe, go ahead and click “Restart” to begin the drive encryption process
The FileVault recovery key is a 24 character alphanumeric password alternative that allows you to decrypt the drive in the event you forget a password. This is very necessary to store somewhere safe, because the typical methods of recovering Macs with forgotten passwords will not work, and it will otherwise be impossible to access data on the disk. It would be a good idea to store this somewhere physically accessible, like a safe, in addition to somewhere safe in the virtual world, be it in a password protected zip file in a web mail account sent to yourself, or somewhere else with multiple security layers that would make sense to store a set of random numbers. Just don’t make it too obvious, or else you’ll defeat the point of the encryption if anyone could find it.
For the highest possible security choosing “Do not store the recovery key with Apple” is valid, but for the average user that’s probably not a good idea. Thus, for the vast majority of average Mac users without incredibly high security needs (top secret data, super secrets, whatever), you are better off storing the recovery key with Apple.
After the initial reboot, things are going to be very slow while the hard drive and all contents are being encrypted. The best thing to do is just let this run and don’t use the computer, it seems to take between 5-15 minutes for every 50GB of used space on the drive, depending on the speed of the Mac and the speed of the drive itself.
Checking FileVault Encryption Progress on Mac
You can check the progress of the encryption by returning to the Security & Privacy preference panel and looking under the “FileVault” tab:
If you’re trying to find a specific process ID attached to encryption and decryption, it doesn’t really exist, instead the entire process is run under “kernel_task”, which is the Mac OS X kernel doing the work on both sides.
Disabling FileVault Encryption on a Mac
Decided FileVault isn’t for you? You’re certainly not alone, and fortunately turning off FileVault is super easy, the only thing you’ll need is the administrator password and then follow these quick instructions:
- Go to System Preferences from the Apple menu and choose the “Security & Privacy” control panel
- Go to the “FileVault” tab, then click the lock icon in the corner to unlock the preferences
- Click the “Turn Off FileVault” button
FileVault will show a progress indicator as it decrypts the drive, and also will provide an estimated completion time. Typically this is about as long as it takes to encrypt the drive, so that could range from 10 minutes to 2 hours+, depending on the drive size, drive speed, and the speed of the Mac. It’s best to just let things sit while this happens, though you can use your Mac if you want to, performance may suffer a bit and feel sluggish with all the disk and CPU activity.
FileVault & General Security Precautions
Though FileVault is incredibly secure, it’s not a replacement for using traditional security measures as well. Always remember to lock your Mac when it’s not in use, and always password protect the Mac with screen savers and by requiring passwords on login and during system boot. Because backing up data is incredibly important, it can also be a good idea to encrypt external drives as well as protecting your Time Machine backups, particularly if they store sensitive data or documents from the primary Mac. Obviously there’s little point to having a very secure primary Mac but backups that are open for anyone to snoop around in should they come across them.
Is this all necessary for the average user? Probably not, but ultimately you will need to decide on what security precautions to take for your specific needs.
FileVault Troubleshooting
Some users may experience a Filevault stuck on “Encryption Paused” error situation. If this happens to you, updating OS X to the latest version available tends to resolve the problem, though sometimes to get around FileVault Encryption Paused messages you need to boot the Mac from a USB volume, unlock the drive (disabling Filevault), rebooting again, then re-enabling FileVault again.
Some users may need to run fsck on the volume as well:
fsck_cs diskID
Let us know in the comments if you have other tips and tricks with Filevault, and for troubleshooting!
Does FileVault encrypt free space, or just used space?
Warning to any1 wanting to use FileVault: it can take a REALLY long time to encrypt. I’m running FileVault on a relatively-clean Mac (erased all of the previous owner’s data from it), left it overnight to do its thing, and it STILL says it has “More than 1 day remaining”. Granted, this is a relatively old machine (2011 MacBook Pro), but still…
True,
My imac has 158GB disk used, I started the firevault on last night and this morning still saying more than a day remaining.
My mac FireVault is stuck in encryption mode and it will not let me turn it off. It says I have to wait for the encryption to finish before it can be turned off. I already have the latest version. My computer is unbearably slow now. What can I do to help it finish. Can I shut it off and take it to be fixed?
My mac FireVault is stuck in encryption mode and it will not let me turn it off. It says I have to wait for the encryption to finish before it can be turned off. I already have the latest version. My computer is unbearably slow now. What can I do to help it finish. Can I shut it off and take it to be fixed?
I’m having trouble backing up my computer with FileVault turned on, and it won’t let me turn it off. Every time I try to decrypt I get an error message stating “Turning off FileVault requires an additional 265.7 GB of free disk space.” So that’s just shy of everything I have on the computer. What’s the deal? Am I missing something?
JR, it sounds like you are running an older version of Mac OS X with FileVault. This is kind of a weird issue but here is some info about the “There isn‘t enough space on your hard disk…” alert error message you are seeing:
https://support.apple.com/en-us/HT203223
You might have success with Time Machine if you enable encryption on Time Machine as well.
If your Mac is new enough with sufficient RAM and SSD, it may be a good idea to update it to the latest Mac OS X release, or to Mavericks. Skip Yosemite, but El Capitan is possible too. Personally I like Snow Leopard on older Mac hardware, but Filevault isn’t as smooth on that release. Otherwise maybe disabling FileVault is sufficient.
I forgot my effi password , if I reinstall a new hard drive will it restart all new without the password ?? Please help I have school in 9 days :( thank you so much
A great tip. Some further thoughts:
1.) If you activate FileVault on a machine acting as a server, it cannot automatically restart in the event of a power failure and the like, since it requires the password.
2.) You can manually restart a machine with FileVault enabled in an authenticated manner which temporarily disables the need for a password – sudo fdesetup authrestart – but obviously, you cannot set it to do this every time and still benefit from disk encryption.
3.) Without FileVault or some other full disk encryption, getting around your user account password is as simple as booting into recovery mode and resetting the password from there – if you are happy with the idea that, if your Mac gets stolen, or you lose it, anyone can get access to all your files, your email accounts in Mail and so on, within minutes, don’t worry about FileVault! (Encrypting files / directories is good, but, obviously, does not protect everything.)
i Have lost my password, is there any solution before i format my disk?
will this affect on the performance?