Endpoint Protection: Encrypt your Mac using FireVault 2


FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk.


Before you begin - things to consider:

Make sure your Mac is running OS X Lion (10.7) or later.

When FileVault is turned on, your Mac will always require that you log in with your account password. 

How to Enable:

Choose Apple menu (in the top left corner of your screen) > System Preferences, then click Security & Privacy.

Click the FileVault tab.

Click the Lock button (in the bottom left corner of the window), then enter an administrator name and password.

Click Turn On FileVault.

If other users have accounts on your Mac, you might see a message that each user must type in their password before they will be able to unlock the disk. For each user, click the Enable User button and enter the user's password. User accounts that you add after turning on FileVault are automatically enabled.


Choose how you want to be able to unlock your disk and reset your password, in case you ever forget your password:  

  • If you're using OS X Mavericks, you can choose to store a FileVault recovery key with Apple by providing the questions and answers to three security questions. Choose answers that you're sure to remember.*
  • If you're using OS X Yosemite or later, you can choose to use your iCloud account to unlock your disk and reset your password.*
  • If you don't want to use iCloud FileVault recovery, you can create a local recovery key. Keep the letters and numbers of the key somewhere safe—other than on your encrypted startup disk. ITS recommends this options, as it is the most secure choice.
    • NOTE: You will be shown a 24-character personal recovery key. Copy and record this key in a secure, but physically retrievable, location. Do not store the key on the encrypted computer.


NOTE: If you lose or forget both your account password and your FileVault recovery key, you won't be able to log in to your Mac or access the data on your startup disk.


When FileVault setup is complete, your Mac restarts and asks you to log in with your account password. Your password unlocks your disk and allows your Mac to finish starting up. FileVault requires that you log in every time your Mac starts up, and no account is permitted to log in automatically.


NOTE: A computer encrypted with FileVault will display a login screen showing only the users that can unencrypt the computer. As a security measure, if the login screen is left inactive for approximately five minutes, the computer will shut down automatically.


After your Mac starts up, encryption of your startup disk occurs in the background as you use your Mac. This takes time, and it happens only while your Mac is awake and plugged in to AC power. You can check progress in the FileVault section of Security & Privacy preferences. Any new files that you create are automatically encrypted as they're saved to your startup disk. If you reboot or shutdown while the disk is being encrypted, the process will continue where it left off. Note the drive is not fully encrypted until the process has completed.


Print Article


Article ID: 25007
Thu 2/16/17 9:43 AM
Thu 11/30/17 4:49 PM