Encrypting Your Mac with FileVault2: Everything You Need to Know

A man’s Mac is his castle: you probably don’t want anyone to interfere with the peace of the confidential documents, financial information, private pictures and passwords stored on it. But what will happen if your laptop got stolen? Or you simply left it behind at a bus station in a mad rush to work? Ouch, this is exactly when the “fun” begins. Knowing that someone may have access to your important data is, to say the least, pain in the neck. Even if you have a strong password, bypassing it is no big whoop for an experienced hacker. So, if you really want to keep your Mac’s data away from prying eyes, you may consider never ever leaving it unattended, or, what sounds more plausible, choose some advanced protection option. The Cupertino company offers their own solutions for keeping your data safe, and among them is a full-disk encryption feature called FileVault2, which has been around since the introduction of Mac OS X 10.7 Lion. But is this technology worth relying on? What about its strengths and weaknesses?

FileVault2 protects the entire contents of your Mac’s startup drive by converting it into some unreadable code. For this purpose, it employs the 128-bit AES encryption algorithm (256-bit keys are supported as well, but only by the macOS versions starting from OS X 10.9). Whenever your Mac boots up, you are required to input a password to decipher it, otherwise, the data will remain unreadable. Once you’ve entered the password, the system works as usual, with one exception: every piece of data read from and written to the disk is encrypted and decrypted on the fly. When you shut down or restart the system, the drive gets locked again.


When first enabled, FileVault2 will also generate a special backup recovery key which consists of 24 random letters and numbers. You can use it to unlock the disk if you accidentally lose or forget your password. It’s highly important that it doesn’t fall into wrong hands, so having it in an easily accessible place is like keeping the extra key of your house under the front door mat.

FileVault2 is built into the operating system (you may already be using it since in the latest macOS versions it is activated by default). To turn the utility on, you are to click on the Apple icon at the top of your screen, open “System Preferences”, click on the “Security & Privacy” icon and switch to the FileVault tab. Click the “Turn On FileVault” option to enable FileVault. After configuring it, you will need to reboot your computer and FileVault2 will start encrypting your hard disk. Be ready that the process will take a considerable amount of time, and although it is conducted in the background which allows you to continue working on your Mac, the computer will probably act like a real slowpoke, as encryption will be eating up most CPU resources. Moreover, see to it that your Mac remains plugged in all this time, for once the conversion is started, interrupting it is certainly a bad idea. When the process is completed, your startup drive gets protected with a quite intense level of security.

Besides, FileVault2, if configured to use your iCloud account, paired with Find My Mac can be your ace in a hole in case your laptop is stolen. When the computer is booted via Guest mode and connected to a network (your Mac may even automatically connect to a known WiFi hotspot), using Find My Mac you can erase it together with the stored encryption key, making the drive completely unrecoverable, even by you.


Yet, there are always two sides of every coin, and encrypting your Mac with FileVault has a lot of pitfalls you should be aware of.

To begin with, one key that encrypts the entire hard drive is obviously not enough to make your Mac completely secure. Once the drive is powered on, it gets vulnerable again, for example to various attacks over a network. You can still bump into a malicious website or be tricked into installing some malware that can compromise your data. Hence, if someone is eager to obtain your files, they will probably find a way.


Secondly, allowing to use your iCloud account to unlock the disk, even though adding an extra layer of convenience and providing additional features, poses a big risk, since you leave the door wide open for anyone who obtains your iCloud account information. If you decide to store your recovery key in your iCloud account, Apple encrypts it using your answers to a series of secret questions, which also doesn’t give an impression of an extremely high security level.


Thirdly, as FileVault2 employs on-the-fly encryption, it can lead to significant performance degradation. This is particularly the case for older Macs with slower spinning hard drives, so if you own one of those, think whether the game is worth the candle.

Moreover, if you’re prone to forgetting and losing things, FileVault2 is probably not your best option. Losing your password and backup recovery key makes your drive permanently inaccessible and your data in no way recoverable. One can assume that protecting your data from your own self is not what you’re trying to do.


Furthermore, the data stored on an encrypted drive, while being protected from an unauthorized access, still remains unprotected from failures within the drive itself, which happen due to various reasons: power fluctuations and shutdowns can damage the drive of your iMac as the system doesn’t have a built-in battery, or your MacBook’s hard disk may get physically damaged after the laptop is dropped or crashed, let alone logical errors, that may suddenly sneak in from nowhere. In view of the fact that the encryption key is stored somewhere on the drive, it can be damaged or lost likewise any other data, which will make the entire disk remain encrypted, therefore, inaccessible.

Fortunately, some sophisticated data recovery utilities like Recovery Explorer Professional, recognize a variety of encryption algorithms, including the one used by FileVault2, and make data recovery from such an encrypted storage possible. Anyway, to reduce the risk of errors, before enabling full-disk encryption it is recommended to conduct an appropriate health check of the hard drive. Ensure that your machine is clean and operates properly by running Disk Utility several times: A highly fragmented disk should be defragmented, while the one containing many bad sectors should not be encrypted at all, for it will probably fail soon.


All in all, considering the points mentioned above, FileVault2 can do quite a good job keeping your sensitive data locked away, but this method of protection is certainly not without flaws, so when enabling it, you should be ready that one day it may spring a mine on you.

Share This Story

Get our newsletter