FileVault is one my favorite out-of-the-box features of Mac computers. FileVault is Apple’s built-in disk encryption utility. Recently Apple has been publicly leading the way in encryption and privacy issues, and when digging into the features it becomes obvious that this focus is not a mere afterthought. While on the surface it seems simple, FileVault provides far more robust capabilities than you might imagine. Unfortunately, some of these options are not immediately apparent. I recently began exploring some of these options. Due to the amount of information, this will be another multi-part series. Today we will cover FileVault full volume encryption.
FileVault Full Volume Encryption
FileVault is advertised as a way to protect your hard drive. While older versions of FileVault (OS X 10.3 and older, referred to as legacy FileVault) did not fully encrypt the disk, the current version does. The entire hard drive is encrypted, protecting the entire OS, applications, files, metadata, and anything else stored on the disk. I am a huge proponent of full disk encryption (FDE) because of its protection and ease of use. With FDE enabled, encryption is transparent to the end-user. He or she enters the boot passphrase, and…and that’s it. There is no complicated software to learn and no additional steps to take. However, a performance penalty is incurred when using disk encryption. This penalty is probably invisible to most users, but power users or users with aging machines may experience significant slow downs. Still, I strongly recommend enabling FileVault full volume encryption.
Enabling FileVault Full Volume Encryption
Using FileVault full volume encryption is incredibly easy. First, open your System Preferences and click the “Security & Privacy” icon. From within this menu, click the “FileVault” tab. If FileVault is already turned on for your system this will be indicated here. If it is not click the “Turn on FileVault” button. A popup will appear asking you where you would like to store your recovery key. The recovery key is a 24-digit alphanumeric code that can be used to recover your data if you lose or forget your password. You should protect this key as well as you protect your password.
The first option stores this key in your iCloud account. I recommend choosing the second option: “Create a recovery key and do not use my iCloud account”. This means that your recovery key will only be stored locally, in the place of your choosing. It should NOT be stored on the computer that it protects because if you should ever need it, it would not be available. Recovery keys stored in your iCloud account may be vulnerable to data breaches and are accessible to Apple.
After you have recorded your recovery key, you will be asked to choose which users are able to unlock the disk and boot the machine. I recommend that you have two administrator accounts on your system before proceeding. This allows you to have on administrator account that can unlock the system. The other can have a shorter password and be used for day-to-day administration tasks, without requiring your to enter a very long password. Of course this requires that you login to one account to boot the machine, the immediately logout and log into the other account, but this is a small price to pay.
When the process has been completed the “Turn on FileVault” button will be greyed out. The FileVault screen will also indicate that a recovery key has been set, and that some users cannot unlock the disk. Your hard drive is now fully protected by FileVault full volume encryption.
As I mentioned in the full disk encryption primer, FileVault is actually a full volume encryption application. This means that the computer can begin booting up before the decryption key is entered. This also means that your user account password is your decryption key, and there is not need to create an additional password. In spite of this, FileVault full volume encryption is still my preferred option for protecting data-at-rest on my Macs. The encryption is made for the hardware, and it works very well.
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.