Since 2011, Apple has utilized the term “FileVault” to refer to full-disk encryption (also known as FDE) in Mac OS X 10.7 Lion. FileVault previously employed a read/write heavy encryption process that had a lengthy initial encryption time and slight impact on performance afterwards, although this was not very noticeable.
Instead, FileVault provided three important safeguards against someone physically accessing your computer, even if they were able to steal your Mac and had unlimited time to try and gain access.
Initially, when your Mac is not in use, the drive is fully encrypted. In order to access the encryption keys, which are safeguarded by your account password, an intruder would have to attempt to hack into the system or physically remove the hard drive (or in the future, Fusion Drives and SSDs). However, they would be unable to gain access due to being completely blocked.
Additionally, the drive on your Mac will not be accessible during startup unless a correct account password or Recovery Key is provided. There is still a vulnerability where an individual with access to your Apple ID account could also gain access to the Recovery Key stored in escrow if you have chosen to do so. This could potentially lead to unlocking your Mac’s drive. (Note that with FileVault enabled, your Mac boots using recoveryOS, a partition that aids in macOS reinstallation and problem recovery.)
Unable to locate your Recovery Key? Refer to the guide “How to locate your FileVault recovery key in macOS.” Uncertain about the validity of your Recovery Key? Use the steps outlined in “How to check if your macOS FileVault Recovery Key is current.”
After successfully unlocking the drive and booting into macOS, the normal Mac security is still in place. This means that a person would need an account password to log in. Although there have been instances where attackers have found ways to bypass the login screen, these vulnerabilities are usually short-lived and are quickly patched by Apple. Additionally, these exploits are not triggered remotely and require physical access to the locked computer.
Beginning with Intel Macs that included the T2 Security Chip, Apple implemented encryption at the core of macOS. The internal volume used for startup is automatically encrypted and cannot be disabled. This applies to all M-series Apple silicon Macs as well. If an external volume is used, enabling FileVault will also encrypt it, which can be a swift process with a newer SSD.
On Intel Macs with T2 chip and all M-series Macs, FileVault only provides protection during the second step. If FileVault is turned off, the computer will automatically unlock the drive upon startup and allow for a login.
Individuals have different levels of security requirements. If you are not concerned that your computer may be taken by someone with advanced hacking abilities, such as a government agency, then it may not be necessary to enable FileVault. However, using FileVault does come with some risks, as you will need your Recovery Key to access your Mac if there is any corruption in the account data on the recoveryOS. (Refer to “How to unlock your Mac with its Recovery Key and FileVault active.”) I frequently receive emails from individuals who have misplaced their Recovery Key and did not use Apple’s iCloud escrow for security concerns.
If you are confident in your ability to keep accurate records or trust in iCloud’s escrow service, and desire to ensure that a stolen or compromised Mac will never reveal your personal information and other confidential data, activating FileVault offers an additional level of security.
This Mac 911 post was written to address a query from Derek, a reader of Macworld.
Ask Mac 911
Our super FAQ contains the most commonly asked questions and their corresponding answers and column links. Check it out to see if your question is already addressed. If not, we are always open to tackling new problems! Send your question, along with any necessary screenshots, to [email protected]. Please indicate if you would like your full name to be used. Please note that we may not be able to answer every question, we do not respond to emails, and we are unable to offer direct troubleshooting assistance.