Using Disk Encryption With Mac OS X

 FileVault 2, introduced with OS X Lion, offers full disk encryption to protect your data and keep unauthorized users from retrieving information from your Mac's drive.

Once you encrypt your Mac's startup drive with FileVault 2, anyone who doesn't have the password or recovery key will be unable to log in to your Mac or access any of the files on the startup drive. Without the log-in password or recovery key, the data on your Mac's startup drive remains encrypted; in essence, it's a confusing scramble of information that makes no sense.

However, once your Mac boots up and you log in, the data on Mac's startup drive is once again available. That's an important point to remember; once you unlock the encrypted startup drive by logging in, the data is readily available to anyone who has physical access to your Mac. The data only becomes encrypted when you shut down your Mac.

Apple says that FileVault 2, unlike the older version of FileVault introduced with OS X 10.3, is a full disk encryption system. That's almost correct, but there are a few caveats. First, OS X Lion's Recovery HD remains unencrypted, so anyone can boot to the Recovery partition at any time.

The second issue with FileVault 2 is that it only encrypts the startup drive. If you have additional drives or partitions, including a Windows partition created with Boot Camp, they will remain unencrypted. For these reasons, FileVault 2 may not meet the stringent security requirements of some organizations. It does, however, fully encrypt Mac's startup partition, which is where most of us (and most applications) store important data and documents.

of 02

FileVault 2 - Using Disk Encryption With Mac OS X

FileVault 2 - Using Disk Encryption With OS X Lion

Coyote Moon, Inc.

Setting Up FileVault 2

Even with its limitations, FileVault 2 provides XTS-AES 128 encryption for all of the data stored on a startup drive. For this reason, FileVault 2 is a good choice for anyone who is concerned about unauthorized individuals accessing their data.

Before you turn on FileVault 2, there are a few things to know. First, Apple's Recovery HD partition must be present on your startup drive. This is the normal state of affairs after installing OS X Lion, but if for some reason you removed the Recovery HD, or you received an error message during installation telling you that the Recovery HD wasn't installed, then you won't be able to use FileVault.

If you plan to use Boot Camp, be sure to turn FileVault 2 off when you use Boot Camp Assistant to partition and install Windows. Once Windows is functional, you can turn FileVault 2 back on.

Continue reading for complete instructions on how to enable the FileVault 2 system.

of 02

Step-by-Step Guide to Enabling FileVault 2

FileVault 2 - Step-by-Step Guide to Enabling FileVault 2

Coyote Moon, Inc.

With the background on FileVault 2 out of the way (see the previous page for more info), there are a few preliminary tasks to perform, and then we can turn on the FileVault 2 system.

Back Up Your Data

FileVault 2 works by encrypting your startup drive when you shut down your Mac. As part of the process of enabling FileVault 2, your Mac will be shut down and the encryption process will be performed. Should something go wrong during the process, you may find yourself locked out of your Mac, or at best, reinstalling OS X Lion from the Recovery HD. If that happens, you'll be very glad you took the time to perform a current backup of your startup drive.

You can use any backup system you like; Time Machine, Carbon Copy Cloner, and SuperDuper are three popular backup utilities. The important thing is not the backup tool you use, but that you have a current backup.

Enabling FileVault 2

Although Apple refers to its full disk encryption system as FileVault 2 in all of its PR information about OS X Lion, within the actual OS, there is no reference to a version number. These instructions will use the name FileVault, not FileVault 2 since that's the name you will see on your Mac as you step through the process.

Before setting up FileVault 2, you should double-check all of the user accounts (except the Guest account) on your Mac to ensure that they have passwords. Normally, passwords are a requirement for OS X, but there are a few conditions that sometimes allow an account to have a blank password. Before proceeding, check to be sure that your user accounts are set up correctly, using the instructions in:

FileVault Setup

  1. Launch System Preferences by either clicking the System Preferences icon in the Dock or selecting System Preferences from the Apple menu.
  2. Click the Security & Privacy preference pane.
  3. Click the FileVault tab.
  4. Click the lock icon in the bottom left corner of the Security & Privacy preference pane.
  5. Supply an administrator password, and then click the Unlock button.
  6. Click the Turn On FileVault button.

iCloud or Recovery Key

FileVault makes use of your user account password to allow access to your encrypted data. Forget your password and you could be permanently locked out. For this reason, FileVault allows you to either set up a recovery key or use your iCloud login (OS X Yosemite or later) as an emergency method of accessing or resetting FileVault.

Both methods allow you to unlock FileVault in an emergency. The method you choose is up to you, but it's important that no one else has access to the recovery key or your iCloud account.

  1. If you have an active iCloud account, a sheet will open allowing you to choose whether you wish to allow your iCloud account to be used to unlock your FileVault data, or you'd rather use a recovery key to gain access in an emergency. Make your selection, and click OK.
  2. If your Mac is configured with multiple user accounts, you will see a pane listing each user. If you are the only user of your Mac, you will not see the multiple user option and you can skip to step 6 for those who selected the recovery key option or to step 12 if you selected iCloud as your emergency access method.
  3. You must enable the account of each user that you wish to allow to boot your Mac and unlock the startup drive. It's not necessary to enable every user. If a user doesn't have FileVault access, a user who does have FileVault access must boot the Mac and then switch to the other user's account so that he or she can use the Mac. Most individuals will enable all users with FileVault, but it's not a requirement.
  4. Click the Enable User button for each account you want to authorize with FileVault. Supply the requested password, and then click OK.
  5. Once all of the desired accounts are enabled, click Continue.
  6. FileVault will now display your Recovery Key. This is a special passkey that you can use to unlock your Mac's FileVault encryption if you forget your user password. Write down this key and keep it in a safe place. Don't store the recovery key on your Mac, because it will be encrypted and therefore inaccessible if you need it.
  7. Click the Continue button.
  8. FileVault will now give you the option of storing your recovery key with Apple. This is a last-ditch method for recovering data from a FileVault-encrypted drive. Apple will store your recovery key in an encrypted format, and provide it via its support service; you'll be required to answer three questions correctly in order to receive your recovery key.
  9. You can choose from a number of predefined questions. It is very important that you write down both the questions and the answers exactly as you supplied them; spelling and capitalization count. Apple uses your questions and answers to encrypt the recovery key; if you don't provide the questions and answers exactly as you originally did, Apple will not supply the recovery key.
  10. Select each question from the drop-down menu, and type the answer in the appropriate field. I strongly recommend taking a screen capture or typing and saving an exact copy of the questions and answers shown on the sheet before you click the Continue button. As with the recovery key, store the questions and answers in a safe place other than on your Mac.
  11. Click the Continue button.
  12. You will be asked to restart your Mac. Click the Restart Button.

Once your Mac restarts, the process of encrypting the startup drive will begin. You can use your Mac while the encryption process is underway. You can also view the progress of the encryption by opening the Security & Privacy preference pane. Once the encryption process is complete, your Mac will be protected by FileVault the next time you shut down.

Starting From the Recovery HD

Once you enable FileVault 2, the Recovery HD will no longer appear in Mac's Startup Manager (which is accessible if you hold down the option key when you start your Mac). After you enable FileVault 2, the only way to access the Recovery HD is to hold down the command + R keys during startup.