Long-time readers of the Rocket Yard have probably heard us mention Apple’s FileVault Encryption, which is a way to encrypt the startup disk on your Mac. In this Mac 101 article, we’ll take a detailed look at FileVault, how it works, things to watch out for when using it, and why owners of Mac laptops should consider using FileVault. The current implementation of FileVault is known as FileVault 2 — for the purpose of brevity in this post, it will just be called FileVault.
What’s Encryption?
When a Mac stores information on a hard disk drive (HDD) or solid-state drive (SSD), it is generally written in a format that can be easily read by anyone with a computer. In other words, if someone stole a Mac, removed the unencrypted startup disk, and connected it to another computer with the proper cable, they would have access to read all of the files on that computer. Encrypting the disk means that the information stored on it is encoded using an algorithm (also known as a cipher) that scrambles the data and makes it readable only by someone holding a decryption key. That “key” can be a password or some biometric means of identification.
How Good Is FileVault Encryption?
FileVault uses an encryption method known as “XTS-AES-128 encryption with a 256-bit key” to encode the information on a disk. That method is quite secure; a Wikipedia search showed that “Breaking a symmetric 256-bit key by brute force requires 2128times more computational power than a 128-bit key. Fifty supercomputers that could check a billion billion (1018) AES keys per second (if such a device could ever be made) would, in theory, require about 3×1051 years to exhaust the 256-bit key space.” It is very unlikely that a typical laptop thief could break FileVault encryption before the end of the universe, by which time the information stored on the disk would be quite irrelevant anyway.
What Macs Can Use FileVault Encryption?
FileVault is actually a feature of Mac OS X and macOS, not a hardware function. Beginning with Mac OS X 10.7 “Lion” and continuing up to the present-day macOS 10.14 “Mojave”, FileVault has been available for anyone who wishes to have the best possible physical security for their information. Many corporations have a policy of requiring employees with MacBooks to enable FileVault, and it’s an excellent security measure for anyone using one of Apple’s laptops.
How to Enable FileVault
When FileVault is turned on, you’ll need to use your account password or Touch ID to log into your computer. It is not possible to set a FileVault-enabled Mac to log in automatically with no password.
Here’s how to enable FileVault:
- Launch System Preferences from the Apple ( ) menu > System Preferences, from the macOS Dock, or from the Applications folder.
- Click the Security & Privacy button.
- Click the FileVault tab
- Click the lock icon (🔒), then enter an administrator name and password.
- Click “Turn On FileVault…” (see screenshot below)
If there are multiple user accounts set up on this Mac, a message appears saying that “Each user must type in their password before they will be able to unlock the disk” (see screenshot below). For each user, click the Enable User button, then enter the user’s password. Any user accounts added after FileVault is enabled are automatically set up to use FileVault.
Next, you need to decide how you want to be able to unlock your disk and reset your password if you ever forget that password.
There are three different ways to do this:
- For Mac OS X 10.10 “Yosemite” and later, you can choose to use your iCloud account to unlock the disk and reset your password.
- For Mac OS X 10.9 “Mavericks” only, you can choose to store a FileVault recovery key with Apple. To unlock that recovery key and make it possible to unlock the disk, you must provide three security questions and the answers…all of which you need to remember.
- You can create a local recovery key. You do NOT want to save this recovery key on your encrypted startup disk. Instead, it should be saved somewhere else safe, like printed and stored in a personal safe or safety deposit box or stored in the Notes app on an iPhone or iPad in a password-protected note.
Apple makes a point of letting you know that if you lose your account password and the FileVault recover key, you will not be able to log in to the Mac or access the data on the startup disk. This is important to remember!
What Happens Once FileVault Is Enabled?
Once FileVault is enabled, it encrypts the startup disk as you use the Mac but only when the computer is awake and connected to AC power. That’s important to note — FileVault will not encrypt a MacBook’s disk when the computer is asleep or on battery power.
To check the progress of FileVault encryption, just look at the FileVault tab of Security & Privacy Preferences. As you create new files, they’re automatically encrypted while being written to the startup disk.
After FileVault has finished encrypting the startup disk and you restart the Mac, entering your account user ID and password unlocks the disk and lets the Mac finish startup.
How To Change the FileVault Recovery Key
To change the recovery key that’s used to encrypt the startup disk, turn off FileVault in Security & Privacy preferences. Turn it on again, and a new key is generated. All older keys are disabled.
How to Reset Your Password Using the Reset Password Assistant
In the unlikely event that you forget your account password or it just doesn’t work, there’s a way to try to reset your password using the Reset Password Assistant. This assistant only appears if FileVault is enabled.
To reset your password:
- Once the Mac has been turned on or restarted, wait (it could take up to one minute) until a message appears saying that you can use the power button on your Mac to shut down and then start up again in Recovery Mode. If this message doesn’t appear, then FileVault isn’t on.
- Press and hold the power button until the Mac turns off.
- Press the power button again to turn the Mac back on.
- The Reset Password window appears. Follow the instructions on the screen to create a new password (see screenshot below)
- Once a new password has been created, click Restart to restart the Mac.
- Now you should be able to log into the account with the new password. You may need to create a new login keychain if you see an alert that the system was unable to unlock. your login keychain. Usually, a Create New Keychain button appears in the alert, and clicking it resolves the issue.
How to Reset Your Password Using a FileVault Recovery Key
When FileVault is enabled and you have a FileVault Recovery Key, that key can be used to reset your password.
- Keep trying to enter a password at the login screen until a message is displayed saying that you can reset your password using the Recovery Key. That message will not appear if FileVault is disabled.
- Next to the message is a small triangle button; click it, and the password field changes to accept a Recovery Key.
- Enter the Recovery Key using uppercase characters, and be sure to include the hyphens in the key.
- Follow the onscreen instructions outlining how to create a new password, then click Reset Password.
If you still can’t log in with the new password after the Mac has been restarted, try these additional steps:
- Restart the Mac again and enter Recover Mode by pressing Command ( ⌘ ) – R or one of the alternate keyboard shortcuts (Option – ⌘ – R or Shift – Option – ⌘ – R). Release the keys when the Apple logo, a spinning globe, or a firmware password prompt appears. The macOS Utilities window appears (see screenshot below)
- You don’t want to select any of the utilities that are listed. Instead, select Utilities > Terminal from the menu bar.
- In the Terminal window, type “resetpassword” (no quotes) and press Return to open the Reset Password Assistant. On the Assistant screen, click the radio button next to “My password doesn’t work when logging in”, then click Next and follow the instructions to reset the password for your user account.
How To Disable FileVault
When you’re going to sell or turn over a computer to another person and you’ve enabled FileVault, you’ll want to disable it as the new owner will not know the password. It’s a much better idea, in this case, to reinstall macOS over the existing copy using Recovery Mode and the Reinstall macOS command as seen in the screenshot above. However, if you do need to actually disable FileVault, it’s quite simple.
- Launch System Preferences, click the Security & Privacy button.
- Click the FileVault tab.
- Click the lock (🔒) and enter an administrator name and password.
- Click Turn Off FileVault.
Now give the Mac time to decrypt the startup disk. As with the encryption process, this usually takes place in the background as the Mac is being used, and the Mac must be plugged into AC power. Like the encryption process, decryption progress can be checked in the FileVault section of System Preferences.
When You Can’t Enable FileVault
There are some situations that prevent the enabling of FileVault, and those are situations where a local Recovery System (also known as macOS Recovery) is not installed on a Mac. FileVault requires a Recovery System to encrypt the startup drive.
What will cause macOS to install without a Recovery System? Generally, it happens in two circumstances: first, when RAID partitions have been created on the startup drive or second when a non-standard Boot Camp partition is on the startup drive. In both of those situations, it is necessary to either remove the RAID partitions or the non-standard Boot Camp partition before re-installing macOS with a Recovery System.
My encrypted iMac failed as I was using it. Will the hard drive revert back to the encrypted mode? I plan on recycling the iMac and do not want the hard disk to be readable.
Thanks
I am not an IT and I had the same problem with a newish MacBook Air. My MacBook Air had used FileVault and so my external backups on an external disc were also encrypted. I tried connecting my backup disc to my old MB Pro but was unable to open the backup disc. I took my MB Air to a local facility who removed the processor from the dead MB Air and installed it in an old used MB A. Using my password they were able to decrypt the processor, and then sold me the used MBAir for very little in lieu of repair costs. I was then able to transfer all my data from the used MB A to my old MacBook Pro and later to a new MacBook Pro.
Steve
I am running into an issue as my Mac died. I tried to take out the disk from the dead Mac and use a SSD enclosure to plug it in externally to another Mac. In order to Mount the drive its asking me for the password as the disk was encrypted using the FileVault. When I enter the password for the old Mac (which I know is correct), I get the error that the password is incorrect or user doesn’t exist. Does it have to do anything with the FileVault? How do I recover data from such a drive that was FileVault protected and the computer went poof. Any help much appreciated.
Hi,
I have exactly the same problem, with all my Ph.D. work on the laptop and an inaccessible copy on a corrupted external HD…
Please Steve could you try to help us?
Umberto
Hi. Quick question. Will the encryption take up more space? I just purchased a MacBook Air with not much memory, so I am being careful of what I put in it. Would using FileVault use up more space? Thank you!
I MacBook Pro is asking me to disable the fireVault just to move forward in the recovery mode.
It says if you were unable to use your keyboard to type your password It may not be compatible with fireball robot try entering the password with another keyboard or disable fireVault
Do I really want to do that. I’ve done it before and I got a restart and it still will not allow me to type in my password .
Something is seriously wrong with my machine and I don’t know what to do. I can’t afford to go to the Genius Bar right now unfortunately and I need my computer for work I lent it out to a colleague. I will never do that again
Could you please explain the recovery procedure filevault using filevaultmaster key(Known as Institutiona Recovery key (IRK)).
Steve, when I tried to encrypt my start up disk I received the message, “FileVault cannot be used on this system and operating version.” I’m running the current version of Mojave (10.14.6) so I’m confused as to why it won’t allow me to encrypt.
I do have Time Machine running so does that interfere with encryption? Also, in your article at the end you mentioned two instances that may cause this to happen; RAID partitions being created or a non-standard Boot Camp partition…how do we determine if either of those apply to the situation?
Hi, Jerry –
According to Apple, “RAID partitions or non-standard Boot Camp partitions on the startup drive might prevent macOS from installing a local Recovery System. Without a Recovery System, FileVault won’t encrypt your startup drive.”
Is your startup disk part of a RAID set? If it is, you’ll need to erase the disk, get rid of the RAID partitions, then reinstall macOS — all in all, not a lot of fun. You can use Disk Utility to determine if the startup disk is part of a RAID set — if it is, it will show multiple (at least two) partitions for the startup disk.
The non-standard Boot Camp partition is a bit more difficult to identify. If the Boot Camp partition was modified outside of Boot Camp Assistant or added after using Boot Camp Assistant, you won’t be able to get FileVault to encrypt the startup volume. Once again, the only way to fix the issue is to erase the disk — INCLUDING the Boot Camp partition — then reinstall macOS and use Boot Camp Assistant to create the new Boot Camp partition.
Hope this helps!
Steve
Steve, not sure what happened but after erasing my startup drive (SSD) and selected “reinstall” to reinstall MAC OS and followed the instructions, i.e., hold the power button until long tone, once the installation began it looked fine…12 hours later still had the same icon on the screen (bottom side of mouse with an arrow pointing up next to the on button with a spinning gear) the OS still was not installed so I shut down the computer and tried starting as normal and it returned to the installation screen as before. So now I can’t start my computer and the keyboard does not respond in this mode either, how do I fix this mess?
I am presently running MAC OS Mojave. When FileVault encryption is turned on, does it in any way interfere with Time Machine Backups? Thank you.
I backed up my MacBook Air without turning off FileVault. That relatively new MacBook battery went bad. I took it to an Apple approved repair facility for a new battery, but when changing the batter a problem with the motherboard was found. I am waiting now for a new motherboard. In the meantime I entered the latest backup into an old MacBook Pro. I did not know that FileVault acts within the startup disc, but I haven’t found a way to open the files in the Pro. When my MacBook Air is repaired I assume I will be able to decrypt the Documents. In the meantime is there a way I can unlock the FileVault encrypted Documents in the MacBook Pro using the recovery key?
Hi,
I’ve used Filevault for full-disk encryption with a long password and a shorter user password.
I think since version 10.13 High Sierra, the macOS doesn’t require me to enter the Filevault password as it user password will automatically
unlock the encrypted drive.
How can I force to enter the Filevault password before getting to the user password like before and bitLocker/user password?
Thanks
I cant login on my Imac after reinstalling using OSX installation disk. every time i have tried loging in a message comes reading; “i cant login to that account at the moment because the filevualt has an error. i changed the password and still tried login but similar problem occured. i have tried starting in recovery mode but it has failed.
What can i do?
Please help.
Thanks
I turned on FileVault on a 1Tb SSD with about 500Gb used. It took well over 24 hours to do maybe half of the drive. Then I did a little searching, and I found that the initial FileVault encryption is heavily throttled if the computer is idle. I downloaded a program called “Jiggler” by Stick Software that makes the computer think the mouse is being moved. Once I started that up, the other half of the FileVault encryption took less than an hour.
The amount of time it would take to encrypt or decrypt 1TB of data makes Filevault pretty useless.
Can you encrypt only designated folders, leaving non-sensitive data “read & write Everyone”
“4) The Reset Password window appears. Follow the instructions on the screen to create a new password (see screenshot below)” — what exactly ARE those instructions? It looks like anyone can do this, so where is the security?
Great article. Thanks. Now, a T2 sequel would be great. Albeit for me, the bests would be if Tw encryption was not by default, but decided by user.
I think FileVault is vital for those (like me) who keep updated clones of their startup drives for backups or disasters. External drives like mine (in OWC On-The-Go enclosures) would be very easy to steal, and just as easy to lose or misplace. Having FileVault enabled on those drives is every bit as important (or more so) than just turning it on for the internal startup disk.
What I’d love to see is giving FileVault the ability to encrypt external drives.
I had to start up my computer(s) from each of their external drives to encrypt them with FileVault. And those external drives are s-l-o-w compared to the internal drive (even SSDs on a USB 3 bus). Encrypting about 260GB of data on 500GB drives took about 52 hours! And that was just letting FileVault do its thing and not doing anything else on the computer!
If one wishes to enable FileVault, one should start with a drive that has only the Operating System without any other files. It goes much, much faster. Assuming one has a good clone of their startup disk on another drive, one can then simply “restore” all their applications, files and data after the encryption is complete.