Understanding FileVault

FileVault is a feature of macOS that offers full-disk encryption for your Mac. This protects your files if someone were to steal your Mac. Without FileVault, someone with possession of your Mac's hard drive could view the data in your files. With FileVault, that data is encrypted and can't be read. It is unlikely that you will need FileVault, but it is still recommended if you are using a portable MacBook that could easily be stolen. Some companies also have policies that force employees to use disk encryption.

Video Transcript
So let's talk about FileVault. FileVault is a feature in Mac OS that is full disk encryption for the startup disk. What does this mean? Well, it means basically without FileVault all the files on your drive are there unencrypted. So anybody with access to the drive can read them. But nobody has access to the drive except for you because it's in your possession inside of your Mac. Right. This means for the most part files are safe. However, even if you have a password set it still doesn't mean the files there are encrypted. Setting a password in this case is kind of like locking your door. Right. It prevents somebody from getting into your house but once they get through the door they have access to everything.

Now what can happen with a computer is even though they don't have your password and they can't actually get into your Mac they can actually pull the drive out of your Mac if they have it in their possession and plug it into another computer and access all the files and if they're unencrypted they can read all of your data. Now that sounds kind of like a spy movie. Right. Somebody stealing your Mac, taking the drive out, hooking it up to another computer just to access your files. It is kind of like that. In most cases that's not going to happen. Somebody steals your Mac they're not really interested in the files there. What are they going to do? Get your credit card numbers and other information. There are easier ways to get financial information like that from other people. They don't need to go to the great lengths of stealing a computer and opening it up and using high tech stuff to be able to access the files.

But this is what FIleVault protects you against. Now with FileVault all the files are encrypted so the data can't be accessed. If they have the drive out of your computer it's all just bits that they can't read because they don't have the key to decrypt the files. So it's useless to them. Now someone with your password can decrypt it just like they can get into your computer. So it doesn't protect you from somebody getting your password. They get your password they can type it into your computer just like you can and have access to all your files. Also in addition to that you can be in trouble if you forget your password. If you forget your password and you're not using FileVault then there is a way to at least recover your data. But if it's all encrypted using your password then, of course, just as bad guys can't get to your data, good guys can't get to it either to help you out.

So why use FileVault? Well, the main thing it protects you against is if your Mac is stolen it prevents your data from being accessed. So this is most useful, definitely, in MacBooks. Right. A desktop Mac is probably in your house and locked up. It's not vulnerable to being stolen very easily. Whereas a MacBook is very vulnerable to being stolen. It could be stolen from you in the library. It could be stolen from you while traveling. It can be stolen from your carryon while in an airport. All sorts of ways somebody can snatch your laptop. By far the most stolen computers are laptops. So it's something to seriously consider if you're using a MacBook.

Another thing is that a lot of companies have policies where they say you have to have data encrypted and not just on the company computers but maybe even on your personal ones because you're getting emails and everything from your work. Their policy may be that you need to have data encryption turned on and for a Mac that means FileVault. That's one of the main reasons people use it.

So to turn on FileVault it's actually pretty easy. I haven't done a tutorial on it up to now because there's really nothing to it. Go to System Preferences, Security and Privacy, FileVault. There's a turn on FileVault button. You probably have to hit the little padlock at the bottom left because you need to authenticate so you can actually do things like turn on FileVault. But once you do that you just turn on FileVault and you get two options. One is to use your iCloud account to unlock the disk in case of an emergency. So you forget your password. How do you get into your data? There are two ways. One is using your iCloud account and that's a great way to do it. Chances are you're probably using iCloud for lots of things and you know your iCloud password and that's a good backup.

If you're not using iCloud for some reason you can create a backup recovery key. In other words it's basically a backup password and you would print that out and store it somewhere and in an emergency you can use that if you forget your password. Once you setup FileVault it's turned on and basically it's all setup like this and you've got a turnoff FileVault button in place of the turn on one. That's it. Now it does take a while to encrypt your data. I mean if you've got a drive that's got 100 GB worth of stuff it's got to go and basically copy all 100 GB from one part of the drive to another part of the drive, file by file, encrypting each one. Once that is done then the encryption works automatically. You save a file it get encrypted. You open a file it's decrypted. It's happens quickly, automatically, you don't notice it. It doesn't slow down your Mac at all.

Now there used to be problems with FileVault that may make people very shy about using it. FileVault has been around for a long time and originally there were problems say slowing down your Mac. Having to decrypt a file every time you used it or encrypt it every time it saved it. Particularly it was troublesome if you were editing video where they was always files being read and written. But those aren't problems anymore. Also a lot of people had trouble, originally, with there being problems when you would turn it on. It would go through the encryption process that might take a day to do that and there could be a problem and you lose all your data. That's easily solved by backing up. Something I still recommend even though this rarely happens today. Also it takes a while to switch. It used to take a long time to actually encrypt all your files if it was something you hadn't done and now you're switching to it. It was a problem because it took a while. Of course there was the problem of forgotten passwords. If you forget a password there's no way for you to get back. Now you have those two ways using iCloud or recovery key. So just make sure you have those setup before doing it.

Here are my recommendations about using FileVault. First you should really consider it for all MacBooks. If you have a MacBook chances are you take it out of the house it's very vulnerable to being stolen. Chances are very slim if somebody steals it they're going to try to access the data. They're probably just going to wipe it and try to resell the machine or use it themselves. They don't care about your data. It's not worth it to them to go to all the trouble to possibly get, what, maybe an old credit card number or credit card that you already cancelled. So it's not really a concern. But definitely for MacBooks this is where I do it all the time. 100% for MacBooks.

For desktops it's a little more optional. If it's in a really secure location then it probably doesn't make too much difference although people concerned about security will still do it on every Mac. It's very best to do it from the start. So you get a new Mac. Turn FileVault on right away and then there's no issue. It's tough when you have to switch and then has to encrypt all that data. So before switching make sure you backup. You're backing up anyway, right? So make sure you've got any backups that you do all up to date just in case there's a problem. I recommend doing that before any big change like an OS upgrade or anything you going to do. Also, give yourself some time because it still takes a little bit of time to do the transfer from all the clear files that are unencrypted to the encrypted files. So do as a last thing before the end of the day or on Friday night and all of that.

Also if you're going to go to this measure of using FileVault also look at your backups. Whatever backup software you're using, like Time Machine, there's probably an encryption option. It's not very useful if, say, you've got your iMac on your desk and that's all encrypted with FileVault and your Time Machine backup sitting next to it isn't because then your data there isn't encrypted. It probably doesn't make any difference, really, but if you're going to encrypt everything then encrypt everything.

Now my advice for typical Mac users this isn't something you need to stress about either way. If you're not using FileVault now it's not something you need to go and immediately do. Chances are you probably have maybe some weak passwords and some other security things that are much more of a priority than turning FileVault on. So don't stress over this too much if you're not using FileVault now. Maybe do it when you get around to it or the next time you get a new Mac.

Now if you want more information about FileVault and some of the details here are a couple links to pages at Apple sites that go into detail about what FileVault is and how to get it setup and deal with any changes.

Links: Use FileVault to encrypt the startup disk on your Mac, Encrypt Mac data with FileVault

Comments: 9 Responses to “Understanding FileVault”

    SCERRI Emmanuel
    1/10/19 @ 9:53 am

    Thanks. That was a nice summary. Have a good day. Emmanuel in FRIBOURG Switzerland

    Carl Hammel
    1/10/19 @ 4:08 pm

    I have FileVault activated on my 2013 MB Pro running Mojave and I have encrpypted my TM back up and the clone of my internal SSD. Question: Is it not possible to get around FileVault by booting in Recovery Mode and resetting the admin password?

    1/10/19 @ 4:12 pm

    Carl: No. That will not work if you have FileVault turned on. FileVault wouldn’t be worth anything if it did.

    Carl Hammel
    1/11/19 @ 6:13 am

    Thanks for responding, Gary. I just booted in Recovery Mode for the first time since turning on FileVault and saw: Firmware password protection is off. Turn on firmware password… Is this something we should all do if we decide to turn on FileVault? Carl.

    1/11/19 @ 7:31 am

    Carl: Setting a firmware password adds another layer of security, yes. Just make sure you save that password in a few places and ever lose it!

    John Stires
    1/16/19 @ 4:32 pm

    Hi Gary, Would not requiring a computer password after say, 15 minutes of non use, virtually accomplish the same thing(s)?

    John Stires
    1/16/19 @ 4:35 pm

    Ready, fire, aim! I get it; sorry for the hiccup between my ears; cheers.

    Lee Siegman
    1/17/19 @ 3:57 pm

    Hi Gary. I just bought a new MacBook Pro and have ascertained that FileVault is on. I don’t recall choosing the option to utilize my iCloud account to access my data, as opposed to a recovery key. How do I find out and how do I use the iCloud account to do it. Also, I set up Time Machine but did not select the encryption option. How should I proceed? Thanks for the great tips.

    1/17/19 @ 4:15 pm

    Lee: I think the only way to switch recovery methods is to go to the extreme of shutting off FileVault and then reinstating it with the different option. For Time Machine, you’d need to start your Time Machine backup from scratch.

Leave a New Comment Related to "Understanding FileVault"

:
:
:
0/500 (500 character limit -- please state your comment succinctly and do not try to get around this limit by posting two comments)