Skip to main content

Full Disk Encryption

Full Disk Encryption in Mac OS X Mountain Lion is a major update over in Mac OS X Lion. The Mac OS X Lion version of FileVault could only encrypt the boot drive. It was possible to encrypt an external drive in Mac OS X Lion, but it was destructive and any data on the drive was lost. CoreStorage, the "behind the scenes" volume manager for FileVault, was updated for Mac OS X Mountain Lion and can encrypt and decrypt external hard drives nondestructively.

Enabling encryption on a hard drive is not an instant process as FileVault 2 encrypts every block of the drive, included unused space. The time it takes to enable encryption will depend on the speed and size of the drive.

To activate Full Disk Encryption for the boot drive:
  • Click on the Apple menu in the upper right-hand corner of the screen
  • Click on "System Preferences"
  • Click on "Security & Privacy"
  • Click on the "FileVault" tab
  • Click the "Turn On FileVault..." icon.
    Note you may need to click the lock in the lower-left-hand corner and enter an administrative account and password to unlock the FileVault system preference pane.
Turn On FileVault

Here is what the "Turn On FileVault..." process looks like:
  • FileVault presents a recovery key. This can be used to unlock the disk if you forget your password.
    • Make sure you take a screenshot and print the page, or write it down and keep it in a safe place
    Recovery Key

  • You can have Apple store the recovery key for you.
    • If you decide to do this, you will have to enter three security questions.
    • In the event you forget your password and your recovery key, and you chose to store with Apple, you can contact AppleCare, answer these three questions, and Apple will provide you the forgotten password.
    • Note: The recovery key is encrypted with the three security questions when it is stored at Apple. If you are unable to answer these questions Apple CANNOT unlock the recovery key.
    Store Recovery Key

  • Click "Restart" to restart the Mac and begin the encryption process
  • Restart the Mac

  • Your Mac will restart
    • Almost instantly after restarting you will be presented with a window that looks like the login screen. After entering your account password correctly, your Mac will finish booting, login, and begin the encryption process.
      Note: You will have to enter your account password every time you restart or power-on your Mac with FileVault enabled.
    • Recovery Key has been set

      Note: Normally you will not be provided with any indication of the encryption process. We went back to the FileVault preference pane to see the progress.
    • The encryption process time will vary depending on the size, speed, and remaining capacity of your boot drive. You can use the computer during the encryption process.
To encrypt another volume other than your boot volume:
  • Open a Finder window
  • Right-click, two-finger click, or control-click on the volume and select Encrypt "(drive name)"
  • Encrypt

  • You will be prompted to enter an Encryption password and hint
  • Create a Password

  • The encryption process begins. Unfortunately there is no indication of how long the encryption will take. This may be fixed in a future update.
  • To verify if a drive has encryption enabled, you can right-click, two-finger click, or control-click on the volume and select "Get Info"
Get Info